Abstract
With the popularity of virtual machines, forensic investigators are challenged with more complicated situations, among which discovering the evidences in virtualized environment is of significant importance. This paper mainly analyzes the file suffixed with .vmem in VMware Workstation, which stores all pseudo-physical memory into an image. The internal file structure of .vmem file is studied and disclosed. Key information about processes and threads of a suspended virtual machine is revealed. Further investigation into the Windows XP SP3 heap contents is conducted and a proof-of-concept tool is provided. Different methods to obtain forensic memory images are introduced, with both advantages and limits analyzed. We conclude with an outlook.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Carvey, H.: Windows Forensic Analysis. Elsevier, Amsterdam (2007)
DFRWS 2005 (2005), http://www.dfrws.org/2005/index.shtml
Schuster, A.: Searching for process and threads in Microsoft Windows memory dumps. Digital Investigation (2006)
Intel. Intel 64 and IA-32 Architectures Software Developer’s Manual, vol. 3A (2007)
McDonald, J., Valasek, C.: Practical Windows XP/2003 Heap Exploitation. Blackhat (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Song, Z., Jin, B., Sun, Y. (2011). Analysis towards VMEM File of a Suspended Virtual Machine. In: Chen, R. (eds) Intelligent Computing and Information Science. ICICIS 2011. Communications in Computer and Information Science, vol 135. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-18134-4_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-18134-4_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-18133-7
Online ISBN: 978-3-642-18134-4
eBook Packages: Computer ScienceComputer Science (R0)