![]() ![]() ![]() Now it is just a matter of "right clicking" on the VMDK file that I want to "download" from the Data-store and giving it a path to where I want the files downloaded to on my Windows 2008 VM that is running vSphere. Once in the Data-store Browser I select the VM SRV02 and the files contained for this VM are displayed (Figure 4). ![]() This brings up the Data-store view where I select "Browse this Data-store" which opens a Data-store Browser (Figure 3). With ESX01 now manageable from my copy of vSphere it is simply a matter of selecting ESX01, opening the Maps tab and clicking on the Data-store "LABVMFS01". For the example shown in Figure 2 I had created a Data-center called Portable Lab and then simply connected the host ESX01 to my Data-center which then imported all of the VM's that are associated with ESX01 in to my copy of vSphere. Naturally in order to connect to the hosts I will need to reside on the broadcast domain for the given network and I will need the administrative credentials for the given hosts that I will need to interact with. Once I have administrative permission from the client to connect to their virtual environment I am able to literally plug right in, create a data center and simply add the specific ESX / ESXi hosts I will need to interact with (Figure 2). I typically run VMware vSphere ( eval copy available here) on a Windows 2008 圆4 VM to provide a portable management tool for the various client environments that I provide services for. Taking down the shared storage LABVMFS01 for traditional drive imaging is not an option as it would also bring down the associated VM's and they need to remain in production. ![]() As an example, in Figure 1 below we have 5 VM's - SRV01, SRV02, VM03, VM04 and FW01 all using the shared storage on LABVMFS01. Further bringing down the server that is hosting the shared storage for the environment, removing the drives and using your hardware imager to copy the disk(s) will in all likelihood not be an option as there could be hundreds of other virtual machines sharing that same storage device for their files that simply cannot be taken down and must remain in production. Hence, when considering the acquisition of the files associated with a given VM you most often will not have the luxury of simply bringing down the physical server running ESX or ESXi and the respective VM and imaging the local hard drive as the files in question may not reside there. It is important to understand that in order to use many of the more powerful features of VMware such as vMotion and DRS the files for the VM's must reside on shared storage that is reachable from each ESX or ESXi server that needs to interact with it. Most often the files associated with a given VM are not stored locally on the physical server running ESX or ESXi and the respective VM. The Game Has Clearly Changed With Virtualization Having recently seen a number of requests on the security and forensic list servers that I participate in requesting recommendations / procedures for copying the disk (VMDK) for a specific Virtual Machine (VM) within a VMware environment for analysis in an incident response, I put together a quick How To in effort to provide some insight in to a few of the methods that I have used. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |