6:55 p.m.
So this effect makes sense when suspending a VMWare guest _with_ VMWare
Tools installed.
Has anyone done any testing on a guest suspend _without_ Tools
installed? Most of my malware analysis is done on VMWare guests without
tools, and I don't recall seeing any issues with connection artifacts
when examined with Volatility.
Andre'
Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 07/03/2012 07:49 AM, Stefan Vömel wrote:
Hi everyone,
in prior threads, Michael and Aaron pointed out changes in memory
structures when suspending a virtual machine. I think this is an
important observation and would therefore suggest moving the respective
discussion to a separate thread. I have summarized the relevant passages
below.
----
Michael H. Ligh
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-June/000441.…)
Also, if you're analyzing a memory dump by
suspending the VM, that has
significant impact on the lifetime and availability of network
structures. When you suspend/pause a VMware guest, VMware tools runs a
bat script on the guest (I think its vm-suspend.bat) which forcefully
closes TCP/UDP and frees the IP.
Jesse Bowling
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000470.…)
This was a VMWare 4.1 virtual machine that was
paused, and the vmss file
copied out.
Much later I head referenced that pausing the
virtual machine actually
causes a lot of information to be removed from memory due to the way VMWare
prepares the OS to pause... :( (Can you or anyone speak to the truth-iness
of this?)
AAron Walters
(http://lists.volatilityfoundation.org/pipermail/vol-users/2012-July/000473.…)
This is definitely something to take in
consideration with this particular
acquisition method. I think you are referring to a comment that MHL made
previously about vmware tools. A similar thing happens when people
attempt to use hibernation files. Intuitively, what does it mean to resume
a network connection that disappeared hours, if not days, earlier? In some
instances, it is possible to still extract associated artifacts from
unallocated regions, a technique most debuggers don't handle very well.
----
Last year, I wrote a survey article about memory acquisition and
analysis techniques
(http://www.sciencedirect.com/science/article/pii/S1742287611000508) and
stated in a short section about virtual machines that, by suspending a
system, a memory snapshot with a high level of atomicity and correctness
could be produced. With respect to the issues raised by Michael, this
statement is maybe a bit too optimistic now?!
I have recently done a lot of research in the area of memory
acquisition, specifically with regard to software-based utilities. We
have tried to formalize criteria for sound memory imaging in a different
paper
(http://www.sciencedirect.com/science/article/pii/S1742287612000254)
and I'm currently working on a platform that may help evaluating the
correctness, impact, etc. of a utility more accurately.
As the discussion about virtual machines roughly touches my research
interests, I would like to know if there's any more information on this
topic. Specifically:
- Has anyone ever measured the impact on a memory image when suspending
a system?
- I have briefly looked at the vm-suspend-default.bat file which is
located in the folder of the VMware tools. It just includes an "ipconfig
/release" command, so it appears "only" network-related information
would be affected. Is anyone aware of any other structures that would be
changed/destroyed when going into suspensed mode?
- Is the batch script (or similar operations) actually executed every
time a machine is suspended? I have just run a quick google query on the
file and only saw that its use was optional?
I would very much appreciate if anyone had some more details on this or
could share some references.
Best regards,
Stefan
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users