Quoting SearchServerVirtualization

Have you had a Microsoft Virtual Server 2005 security breach? The last article in this series explored virtual machine log file monitoring. This article will walk you through some steps to take before powering down a Virtual Server 2005 host for investigation.

In an ideal world, one would be able to take a perfect snapshot or disk image of a compromised system. This may not always be possible. However, there are some actions that you should probably take before powering down a compromised system.

First, export all of the event logs in case you don't have an archive of them. You could use the "VS2005_evtlogbackup.vbs" script from the previous article to backup the event logs. However, before you do that and clear the event logs, you may want to export the events in an easy to read format categorized by event type. This is where the "VS2005_evtcollect.vbs" script comes in. This script will extract the events from a list of computers and output them in five separate html files, based on the event type. The script for this section is available for download here.

Then, open up the Virtual Server 2005 Administration page if you can and take a screen capture of the main page so you can view the recent events later. After these two steps have been taken, I would recommend gathering some additional information before shutting down any virtual machines that are running on the host or the host machine, itself.

This additional information can be gathered by using tools from Windows Sysinternals. The list of tools includes "accessenum.exe," "autoruns.exe(or autorunsc.exe)", "pendmoves.exe," and "logonsessions.exe." Accessenum.exe is a graphical tool that allows you to view who has access to items within a directory or registry key. When you download it from Windows Sysinternals, just run the executable and choose a directory or registry key to query.

Read the rest of the article, here.