Megan needs to conduct a forensic investigation of a virtual machine (VM) hosted in a VMware environment as part of an incident response effort. What is the best way for her to collect the VM?

The best way to capture a virtual machine from a running hypervisor is usually to use the built- in tools to obtain a snapshot of the system. Imaging tools are not typically capable of capturing machine state, and dd is not designed to capture VMs. Removing a server’s drives can be challenging due to possible RAID and other specific server configuration items, and doing so might impact all other running VMs and services on the system.