How to analyze a VMware memory image with Volatility

A very brief post, just a reminder about a very useful volatility feature.

The process on a VMware machine is more simple than VirtualBox, just 4 simple steps:

  1. Suspend the virtual machine
  2. Navigate to the virtual machine’s directory and identify the *.vmem file
  3. Copy the vmem image to you analysis workstation 
  4. Finally use the following Volatility command to convert the memory image to a dump ready for analysis:
$ volatility -f memory_image.vmem -O raw_image --profile=Win8SP0x86 raw2dump

Now the memory dump can be analyzed with the usual methods.

Related posts

  1. How to detect Cobalt Strike Beacons using Volatility
  2. How to process recent Windows 10 memory dumps in Volatility 2
  3. OSX Forensics: a brief selection of useful tools
  4. How to extract forensic artifacts from Linux swap
  5. Linux Forensics: Memory Capture and Analysis