We recently had a couple security events occur and we immediately took a snapshot of the VM as we wanted to preserve as much of the data as we could. Now we would like to send it to a 3rd party forensics team to determine the level of compromise.
My questions is, is sending them a copy of the snapshot file sufficient for them to perform a forensics analysis?
What files are required for a VM to be powered on?
Any help with this would be greatly appreciated!
Although I am not really sure which files would be enough to start the VM (the "minimum" file set") - if by snapshot file you mean the file that is created when you create a snapshot: this is not enough! This is only the incremental change that was made to the virtual disk since the snapshot was created. And without the base disk, this file is useless.
Most important to at least start the VM are, as far as I know, the .vmx files (Virtual Machine config file) and the .vmdk files (virtual hard disks (also containing incremental snapshot files)). Since the vmdk files are the largest files in these folders, and since you definitely need these files, i would suggest to copy/export the whole folder all together. Even the log files could be interessting for analysis, depending on the type of "security events" occured to you.
Not by default, no. Snapshot files are just log files of incremental changes. In the future, what you would want to do is suspend the VM, then copy the .vmss file somewhere on your storage.
Most if not all commercial vendors and forensic services have the tools needed to convert a .vmss to a workable memory dump with logging. They wont likely "power the box on" as that would require additional files.
