VM Workstation memory dump

Digital forensics and how to dump memory of a VM

I embarked on a digital forensics course that immerses participants in mimicked cyber attacks. This course guided me through an in-depth analysis of the assault using Windows Server 2019 as the analysis server and Windows 10 as the targeted system.

To set up the environment, I configured two Virtual Machines (VMs) and executed a script to compromise the Windows 10 system. As per the course instructions, I then suspended the VM, captured a snapshot, and obtained a memory dump from the host system. The course utilized Oracle Virtual Box and provided commands, but since I had built my environment in VM Workstation Pro, I faced two potential solutions: either reconstructing the setup in Virtual Box or finding a way to perform a memory dump from Workstation Pro. I chose the latter.

After a quick search on Google, I discovered that I needed to use a program called 'vmss2core.exe' for this purpose. However, when I initially attempted to run the program, it did not work. The solution was to add the location of the 'vmss2core.exe' file to the path variable in the Windows environment settings.

Once I set the path and rebooted the computer, I successfully created a memory dump using the following command:

vmss2core -W8 'VM_File_Name.vmsn’ ‘VM_File_Name.vmem’

Overall, this hands-on experience in digital forensics has been incredibly rewarding, and overcoming the challenges along the way has deepened my understanding of the subject. I'm eagerly looking forward to the next stages of the course.