Other systems that incident response analysts should prepare to address are virtual machines. The one distinct advantage that virtual systems have over physical systems is their ability to maintain the current state by either performing a snapshot of the system or simply pausing. This allows incident response analysts to simply copy the entire file over to an evidence drive for later analysis. It is recommended that analysts ensure that they conduct a hash of each component of the virtual machine pre and post copy to ensure the integrity of the evidence.

One key feature of popular virtualization software such as VMware is that the virtual machine utilizes two files for the running memory. The first of these is the Virtual Memory (VMEM) file. The VMEM file is the RAM or physical memory of the virtual machine. The second file is the VMware Suspended State (VMSS) file. The VMSS file contains the files that are saved as part of the suspended state of the virtual machine. Let's take a look at this:

1. To acquire the running memory from a VMware virtual machine, pause the system.
2. Second, transfer the VMSS and VMEM files to a removable media source such as a USB. VMware software will often include the Vmss2Core.exe application as part of the installation process. This application combines the VMSS and VMEM files into a single .dmp file that can be analyzed with forensic tools. Both these files are required to create a complete memory capture.
3. To create the .dmp file, run the following command:

C:Program Files (x86)VMwareVMware Workstation>vmss2core.exe suspect.vmss suspect.vmem

From here, the responder will have the necessary .dmp file to conduct analysis.