More Thoughts on Forensics
I mentioned in my last blog that it would be handy to get a copy of all the VMs datafiles as they contain memory files.
The best way to preserve these files is to power off the VM as if you were pulling the plug on the VM. There are several ways to accomplish this task.
The first is to pull the power on the entire ESX server. Not always desirable but it is done from time to time.
The other more appropriate way is to kill the process running the VM, however that is quite a bit of trouble. You are first required to find the VMID of the VM and then to find its parent VMID and finally kill the VM within the vmkernel. This is achieved by doing:
VMID=`/usr/bin/vm-support -x | grep VMName|awk '{print $1}'|awk -F= '{print $2}`
KVMID=`cat /proc/vmware/vm/$VMID/cpu/status |awk '{print $1}'|grep -v group|awk -F\. '{print $2}'`
/usr/lib/vmware/bin/vmkload_app -k 19 $KVMID
These steps will kill the VM while maintaining a copy of the virtual swap file. If the VM had to swap to disk, the data is now there for you to use in your investigations.
However, it is always best to remember that this file is not always used.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Pulling the plug, I like it
Pulling the plug, I like it :O the command for killing the guest is very useful.once again an excellent blog. keep them coming.
This is a pretty good way to
This is a pretty good way to find the process you need to kill if a VM hangs. If you decide to use the commands Ed posted, just change "VMName" to the actual VM name, then fix the close parentheses at the end of line 1 and add the "$" to the '{print 21}' for line 2, so it looks like '{print $21}'.I just popped that into a "KillVM.sh" script and use it to nix any pesky hung VMs. I also changed the "vmkload_app -k 19" to "vmkload_app -k 9" so it will do a kill -9 which is signal 9 KILL (non-catchable, non-ignorable kill).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# KillVM script
#
# Usage: "killVM.sh
#
VMID=`/usr/bin/vm-support -x | grep VMName|awk '{print $1}'|awk -F= '{print $2}'`
KVMID=`cat /proc/vmware/vm/$VMID/cpu/status |awk '{print $21}'|grep -v group|awk -F\. '{print $2}'`
/usr/lib/vmware/bin/vmkload_app -k 9 $KVMID