Re: [Vol-users] Windows Server 2008
3 Jul
2012
3 Jul
'12
12:48 a.m.
Jesse,
Much later I head referenced that pausing the virtual
machine actually
causes a lot of information to be removed from memory due to the way
VMWare prepares the OS to pause... :( (Can you or anyone speak to the
truth-iness of this?)
This is definitely something to take in consideration with this particular
acquisition method. I think you are referring to a comment that MHL made
previously about vmware tools. A similar thing happens when people
attempt to use hibernation files. Intuitively, what does it mean to resume
a network connection that disappeared hours, if not days, earlier? In some
instances, it is possible to still extract associated artifacts from
unallocated regions, a technique most debuggers don't handle very well.
...Anytime. Once this damnable lack of power passes,
I'd even offer to
exchange the call for beer-while-I-pick-your-brain. :)
Sounds like a plan. Send me a message off-list. If you have time in
October, you should also make plans to attend OMFW. The whole Vol dev
team and analysts will be in town.
Thanks for the emails!
AW