As part of an incident response effort, Megan has to perform a forensic investigation of a virtual machine (VM) that is hosted on a VMware platform. What would be the MOST effective approach for her to gather the VM?

Typically, the most effective approach to obtain a virtual machine from a running hypervisor is to use the hypervisor's built-in tools to create a snapshot of the system. Imaging tools are generally not capable of capturing the virtual machine's state, and dd is not intended for capturing VMs. Removing a server's drives can be difficult due to specific server configuration items like RAID, and doing so could potentially impact other running VMs and services on the system.