SANS Digital Forensics and Incident Response Blog: Author - Paul Henry

Data Sanitization In The Virtual Realm and Cloud

In virtual realm data storage, while there are several solutions for sanitizing entire hard drives there are limited ways to properly sanitize the files for an individual virtual machine. If you take a virtual machine out of service it does not make sense to literally have to wipe the entire storage array to effectively … Continue reading Data Sanitization In The Virtual Realm and Cloud


Digital Forensics - Automotive Infotainment and Telematics Systems

Paul A. Henry - SeniorSans Instructor - phenry@sans.org MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, GICSP, GCED, GPPA, VCP4/5, VCP-DCV (5.5), vExpert Powerful Features There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 - Source), including … Continue reading Digital Forensics - Automotive Infotainment and Telematics Systems


How To: Forensically Sound Mac Acquisition In Target Mode

Can a Mac hard drive be easily removed for imaging with a forensic hardware imager? It is really a matter of personal opinion, Mac's are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly. Depending … Continue reading How To: Forensically Sound Mac Acquisition In Target Mode


How To - Digital Forensic Imaging In VMware ESXi

Paul A. Henry Forensics and Recovery.com Follow me on Twitter

As a follow up to my recent SANS Forensic Blog post "How To - Digital Forensics Copying A VMware VMDK" that provided insight in to making a "GUI tool" based copy of a VMware VMDK, I have put together a How To that addresses creating a forensically sound image of a VMware VMDK on the ESXi console, that is able to provide the "chain of custody" needed in a digital forensics investigation.

Important note: In the simplest of terms a VMDK is an abstraction of a physical disk for a VM contained within a file (VMDK-flat). We are making a bit by bit

...


How To - Digital Forensics Copying A VMware VMDK

Having recently seen a number of requests on the security and forensic list servers that I participate in requesting recommendations / procedures for copying the disk (VMDK) for a specific Virtual Machine (VM) within a VMware environment for analysis in an incident response, I put together a quick How To in effort to provide some insight in to a few of the methods that I have used.

The Game Has Clearly Changed With Virtualization

Most often the files associated with a given VM are not stored locally on the physical server running ESX or ESXi and the respective VM. It is important to understand that in order to use many of the more powerful features of VMware such as vMotion and DRS the files for the VM's must reside on shared storage that is reachable from each ESX or ESXi server that needs to interact with it. Hence, when

...