![]() Then you move them to your Lab which could be simple as your laptop running a VM with SIFT workstation. When obtaining the different disk files from the ESX host, you will need the VMDK files. The process of how to obtain the disk will be skipped but here are some old but good notes on how to obtain a disk image from a VMware ESX host. I also take a quick look at the artifacts and then unmount the different partitions. I start by recognizing the file system, mounting the different partitions, creating a super timeline and a file system timeline. Below, I perform a series of steps in order to analyze a disk that was obtained from a compromised system that was running a Red Hat operating system. ![]() This article is a quick exercise and a small introduction to the world of Linux forensics.
0 Comments
Leave a Reply. |