VMWARE Forensic

Resuming Suspended VMware Image

VMware is a company that provides virtualization software for cloud computing. Established in 1998, the California-based company’s virtual machine uses VMware images to run the virtualization environment. Therefore, a VMware image is a PC application, operating system or data that can be virtualized without regard to the hardware that offers resources for processing, data or memory. However, if one wishes to save the current virtual machine state, a VMware image could be suspended. Generally, when one wishes to do additional work in the virtual machine, VMware image is resumed. So as to resume the virtual machine, start the work station and choose the virtual machine that was suspended. On the VMware workstation toolbar, click ‘resume’ button (VMware.com).

From a forensic standpoint, there are several moments when VMware image should be suspended and resumed. One of them is when introducing a new hardware such as ATI Radeon HD 4870 for graphics and gaming. Secondly, one may suspend and resume a VMware image when creating a new virtual machine for instance, when launching new investigations. Further, resuming VMware image depends on the reasons for suspension such as internet connectivity or a problem with the VMware Virtual Network Infrastructure. Lastly, resuming the VMware image could be done after troubleshooting problems with the physical hardware such as installation of drives among others.


After suspending the virtual machine, several changes are bound to occur. If VMEM is added during suspension, there will be a backed up memory after resuming. As a result, there are massive snapshots that back up the guest’s memory. In addition, those files that are supported by VMEM can now open. Notably, there is change in speed. This is because new data has been added, that is the “.vmem” software. If more data is added during suspension, the speed may be slower depending on the size of the data. Further, .vmss file is created. This contains the state of the virtual machine. It is from this file that the virtual machine’s state is restored after resuming.

For forensic computing, the VMware image is ‘patched’ when it is suspended. For instance, one can do away with a password through the Password Bypass function. In other words, one is able authenticate use by all; the password problem is sorted out. After “.vmem” is added, it is possible for the investigator to identify the hooked processes, network connections and active keys of registry. Moreover, a significant change is that the VMEM files become fragmented. As a result, resume from suspend mode is slow.

Another notable or possible change is the difference in which VMware images resume at different rates. Some are likely to take longer than others especially when the machine has active snapshots. This can be dealt with by removing the snapshots or cloning the machine to another which, the latter, will not have the snapshots.

Procedure and Technique of Analyzing Suspended VMware Image

To analyze a suspended VMware image, imaging of hard disk is applied. Through Virtual Forensic Computing (VFC), an analyst is able to investigate a live system or a memory. Through VFC, one is able to trace activity of a malware. This is done by suspending the VMware image, exporting it and analyzing it.

The procedure for above begins by accessing the hard drive through the appropriate VFC interface such as Guest Operating System (Wade, 2011). By generating the necessary VFV VM, the VM files are generated. However, there is a need to ‘resurrect’ the dead drive in the VMware. To do this, the newly generated VMware image is exported to the required destination and a VM launched. The next step deals with by-passing the password such that all users can access the stored information. At this very point, it is possible to reveal or notice the activity of the malware. These include, as mentioned, all network connections, registry keys and hooked processes. From the VMware file, a memory file can be created and saved as “.vmem”. This file can be launched on, for instance, HBGary or Volatility to reveal all the activities of the malware.

Thus the main aspects of VFC are: creating a virtual machine from a forensic image, bypassing password of the user account and rewinding the machine up to a week ago. VFC makes use of Mount Utilities and Player properties of the VMware to recreate images in a very short while. With the use of Mount Image Pro, it is very easy to transform the ‘dead’ or hidden image into its replica that can be analyzed for forensic purposes. The entire process has been referred to as imaging. It is advantageous because there is no need of having the exact software as it existed in the forensic disk’s collection of softwares. Further, the analysis does not have to restore the forensic image or its files to another computer. On the contrary, the analyst uses the cloud. A great advantage for this technique is also the fact that it can be applied for Windows 95 through Windows 7.

Use of VMDK and other VMware Files

Other than disk imaging, other technologies exist as well. Other techniques have been developed on the basis that it is not easy to put down other virtual machines that share storage with the one with forensic information. Through vMotion and DRS, an investigator is able to use, for instance, ESX or ESXi server to acquire the necessary files for investigation (Henry, 2010). By getting permission into the virtual environment of a shared storage, including the drive to be investigated, the analyst is able to get access into the malware. This is done by creating a genuine data center that would enable the investigator to be allowed into a broadcast domain of a particular network. By using server ESX or ESXi, the investigator is able to interact with the necessary hosts and import the required VM’s. The server enables the investigator to browse data store of the associated virtual machines including the forensic one. Since, for instance Windows 8 is already running in vSphere, it is possible to use VMDK to download the data under investigation into the required site. By use of FTK Imager, in a matter of seconds, a forensically significant copy is created in the desired format on the newly introduced USB drive. The VMDK image can be mounted on a local drive through a workstation.

Although this is also an alternative technique, there are a few limitations. According to Henry (2010), the process may be limited in producing a forensically significant image especially if the Graphical User Interface does not support such process. ESXi does not effectively validate a VMDK image. There are cases of ‘unsupported’ components. Moreover, ESXi, when used with BusyBox Linux.

Order now

Related essays