How to analyze a VMware memory image with Volatility

A very brief post, just a reminder about a very useful volatility feature.

The process on a VMware machine is more simple than VirtualBox, just 4 simple steps:

  1. Suspend the virtual machine
  2. Navigate to the virtual machine’s directory and identify the *.vmem file
  3. Copy the vmem image to you analysis workstation 
  4. Finally use the following Volatility command to convert the memory image to a dump ready for analysis:
$ volatility -f memory_image.vmem -O raw_image --profile=Win8SP0x86 raw2dmp

Now the memory dump can be analyzed with the usual methods.

Related posts

  1. If you’re a fan of Volatility, you’ll love CrowdStrike’s SuperMem
  2. Some thoughts about Stuxnet
  3. How to perform a digital forensic analysis using only free tools
  4. How to detect Cobalt Strike Beacons using Volatility
  5. How to process recent Windows 10 memory dumps in Volatility 2