Virtual machines

Other systems that incident response analysts should prepare to acquire are virtual machines. The one distinct advantage that virtual systems have over physical systems is their ability to maintain the current state through either performing a snapshot of the system or through simply pausing. This allows incident response analysts to simply copy the entire file over to an evidence drive for later analysis. It is recommended that analysts ensure that they conduct a hash of the virtual machine pre and post copy to ensure the integrity of the evidence.

One key feature to popular virtualization software such as VMware is that the virtual machine file contains a file with the extension .vmem. This file is the virtual memory file ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.