Normally, creating a copy of a system's RAM contents requires access to the target system, a logon, installing the required tools, and copying away the RAM dump to an external media. All of these steps are intrusive, that is, changing the state of the system and being subject to detection by the attacker or his malware. Furthermore, an attacker with administrative privileges may hide portions of the system memory from the memory dumps, for example, by manipulating the memory allocation and protection algorithms.

To overcome the disadvantages of this method, the hypervisor layer can be utilized to get a complete, non-tampered copy of the memory of a virtual system. The following script can be used to create a snapshot including the RAM content of a virtual machine:

#!/usr/bin/env python

from pyVim import connect
from pyVmomi import vim
from datetime import datetime
import sys

def make_snapshot(service, vmname):
    """Creates a snapshot of all virtual machines with the given name"""
    
    snap_name = 'Memory_Snapshot'
    snap_desc = 'Snapshot for investigation taken at ' + datetime.now().isoformat()

    content = service.RetrieveContent()
    vm_view = content.viewManager.CreateContainerView(content.rootFolder,
                                                      [vim.VirtualMachine],
                                                      True)
    vms = [vm for vm in vm_view.view if vm.name==vmname]
    vm_view.Destroy()

    for vm in vms:
        print 'Taking snapshot from VM UUID=%s' % vm.summary.config.uuid
        vm.CreateSnapshot_Task(name = snap_name,
                               description = snap_desc,
                               memory = True,
                               quiesce=False)
        print "Done.
"


if __name__ == '__main__':
    if len(sys.argv) < 6:
        print 'Usage: %s host user password port vmname' % sys.argv[0]
        sys.exit(1)
    
    service = connect.SmartConnect(host=sys.argv[1],
                                   user=sys.argv[2],
                                   pwd=sys.argv[3],
                                   port=int(sys.argv[4]))

    
    make_snapshot(service, sys.argv[5])

This script searches for virtual machines with the specified name and creates a snapshot. The highlighted parameter causes vSphere to write the RAM contents of the virtual machine to the datastore along with the other snapshot data files.

These RAM dumps reside in the directory of the virtual machine. The enumeration script in this chapter shows the path to this directory. Additionally, the vSphere Client allows browsing and downloading the datastore of the virtual machine.

The RAM contents are stored in a file with the .vmem extension, for example, EvesMachine-Snapshot2.vmem.

For physical systems, creating a forensic disk image usually incorporates taking the system offline, shutting it down, removing the hard drive, and copying it. Obviously, the system is not operational during this procedure and as a consequence, business owners are very reluctant in granting these downtimes due to a vague suspicion of a possible compromise.

On the other hand, the creation of a snapshot of a virtual machine results in basically no downtime but the result is a forensically sound disk image of the virtual asset.

The creation of the snapshot is identical to the script in the previous section. For VMware vSphere 5, all the files have to be copied from the datastore directory of the hypervisor to get a complete dump of the hard drives. If the virtual system is still running, some files may not get copied as the hypervisor will not allow read access while these files are in use. Typically, this is not a problem as these files are only needed by the snapshot, that is, all the changes since the creation of the snapshot are stored in special snapshot files.

In VMware vSphere 6, the snapshot mechanism has been changed. Instead of writing disk changes in the snapshot files, the changes made after snapshot creation are directly written to the files that represent the virtual hard drives. The snapshot files are used to preserve the original contents of the disk drives (copy-on-write behavior).

Therefore, the files that are to be copied from a VMware vSphere 6 environment will contain all entries of the directory of the virtual machine.

For the forensic analysis, the captured disk images can be connected to a virtual forensic workstation. There, these images can be treated like any other physical hard drive. Of course, the original copies must remain intact in order to provide forensic soundness.

The virtualization environment not only represents virtual machines and Network Interfaces Card (NIC), but also the virtual network devices that are needed to interconnect these systems. This combination can be used to collect all the network traffic of a virtual network by adding a monitoring port to the virtual switch and connecting a system to it, which can capture all the network traffic.

Furthermore, the enterprise editions of VMware vSphere provide an advanced version of a virtual switch called vSphere Distributed Switch (VDS). This switch can act more like a physical switch and provide mirroring of selected ports to a defined port for the traffic analysis. In addition, this switch is also capable of providing NetFlow logs to a defined port.

For the standard virtual switch, the following steps are required in order to monitor the network traffic:

The exact steps may differ between virtual switch types and their versions. Nevertheless, the core message is that virtualization environments can ease this task of network traffic capturing. Moreover, physical and virtual switches do have different behaviors, for example, they can react to configuration changes of the connected network cards.

In the next chapter, we will see how to generate and analyze this captured network traffic.