Hello,
I was reading a little about analysing memory, and saw a reference to Vmware's .vmem file. The literature didn't really say if the .vmem file was useful in analysing memory or if its the same as the actual memory that would be extracted from a unix or windows system.
Does anyone know or have you had expereince in this?
Thanks
Jake,
What were you reading?
My own Perl scripts work very well with .vmem files from Windows 2000 VMs, and Volatility works with the file from XP SP2 & 3 systems.
I understand that, with Workstation, memory generated by the VM is not necessarily restricted to the VM's memory, but that the host's RAM may contain data generated by the guest. I haven't tested this, but was so advised by one of the VMware Forum's senior users. He added that there are settings in ESX that can restrict VM RAM to the guest. All of this relates to Windows guests. If someone has more empirical information, please let let me know.
Thanks for the info. Keydet89 it was actually your book Windows Forensics Analsys, but I miss read it. I was reading where you were discussing suspending vmware, then parsing .vmem. Where I misread it was when you were discussing the other products and mentioned that the OTHER products have not been tested.
Thanks.
Jake,
The .vmem file is essentially a very similar format as using mdd or dd to dump RAM from a live system…and the available tools do the same things. My scripts for Windows 2000 will parse .vmem files from that platform/OS, and Volatility will work equally well on XP SP2 & 3 dumps/.vmem files.