VMWare ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition, published February 2011, (c) 2011 Pearson Education.
Where to Buy
Links to Articles/Interviews about Book
- VMware-Tips: Get your Read On
- TechTarget: Honing your VMware monitoring techniques
- Richatron Blog: Veeam Featured Webinar Book Titles expanded!
More Info about the Author
- Other Papers and Publications
- The Authors Blog
Would like to know good practice regarding ESXi persistent disk – especially with regard to forensics – compared with snapshot based forensics… your thoughts?
Hello Thomas,
Forensics is not really a question of snapshots or not. The question is what data you wish to get…. If you only want ‘INDISK’ data then that can be gotten by powering off the VM (as if you were pulling the plug) and duplicating the virtual disk contents, by mounting it to a read-only disk copying appliance. However, if you want a richer set of data then you also want all the files created with the VM whether they are snapshot, memory, disks, nvram, etc. Then the VM can be recreated, etc. Snapshots can be of use even in this case, but for the ‘INDISK’ case they are not even considered.
When preparing for forensics, where you store each of these files (snapshot, memory, disk, config) is more important than anything. You also need to understand how the underlying file system on which these sundry files are written so you can get all the proper information (as is the case for VMFS).
Best regards,
Edward