How to analyze a VMware memory image with Volatility

A very brief post, just a reminder about a very useful volatility feature.

The process on a VMware machine is more simple than VirtualBox, just 4 simple steps:

  1. Suspend the virtual machine
  2. Navigate to the virtual machine’s directory and identify the *.vmem file
  3. Copy the vmem image to you analysis workstation 
  4. Finally use the following Volatility command to convert the memory image to a dump ready for analysis:
$ volatility -f memory_image.vmem -O raw_image --profile=Win8SP0x86 raw2dump

Now the memory dump can be analyzed with the usual methods.

Related posts

  1. What’s new in Volatility 3?
  2. Windows Forensics: analysis of Recycle bin artifacts
  3. How to generate a Volatility profile for a Linux system
  4. OS X forensic acquisition: a basic workflow
  5. Forensic analysis of Windows 10 compressed memory using Volatility