How to analyze a VMware memory image with Volatility

A very brief post, just a reminder about a very useful volatility feature.

The process on a VMware machine is more simple than VirtualBox, just 4 simple steps:

  1. Suspend the virtual machine
  2. Navigate to the virtual machine’s directory and identify the *.vmem file
  3. Copy the vmem image to you analysis workstation 
  4. Finally use the following Volatility command to convert the memory image to a dump ready for analysis:
$ volatility -f memory_image.vmem -O raw_image --profile=Win8SP0x86 raw2dump

Now the memory dump can be analyzed with the usual methods.

Related posts

  1. James Duffy: Demystifying iOS Data Security
  2. iOS forensic acquisition methods
  3. My Weekly RoundUp #131
  4. What’s new in Volatility 3?
  5. Windows Forensics: analysis of Recycle bin artifacts