More Thoughts on Forensics
I mentioned in my last blog that it would be handy to get a copy of all the VMs datafiles as they contain memory files.
The best way to preserve these files is to power off the VM as if you were pulling the plug on the VM. There are several ways to accomplish this task.
The first is to pull the power on the entire ESX server. Not always desirable but it is done from time to time.
The other more appropriate way is to kill the process running the VM, however that is quite a bit of trouble. You are first required to find the VMID of the VM and then to find its parent VMID and finally kill the VM within the vmkernel. This is achieved by doing:
VMID=`/usr/bin/vm-support -x | grep VMName|awk '{print $1}'|awk -F= '{print $2}`
KVMID=`cat /proc/vmware/vm/$VMID/cpu/status |awk '{print $1}'|grep -v group|awk -F\. '{print $2}'`
/usr/lib/vmware/bin/vmkload_app -k 19 $KVMID
These steps will kill the VM while maintaining a copy of the virtual swap file. If the VM had to swap to disk, the data is now there for you to use in your investigations.
However, it is always best to remember that this file is not always used.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Pulling the plug, I like it
Pulling the plug, I like it :O the command for killing the guest is very useful.once again an excellent blog. keep them coming.
This is a pretty good way to
This is a pretty good way to find the process you need to kill if a VM hangs. If you decide to use the commands Ed posted, just change "VMName" to the actual VM name, then fix the close parentheses at the end of line 1 and add the "$" to the '{print 21}' for line 2, so it looks like '{print $21}'.I just popped that into a "KillVM.sh" script and use it to nix any pesky hung VMs. I also changed the "vmkload_app -k 19" to "vmkload_app -k 9" so it will do a kill -9 which is signal 9 KILL (non-catchable, non-ignorable kill).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# KillVM script
#
# Usage: "killVM.sh
#
VMID=`/usr/bin/vm-support -x | grep VMName|awk '{print $1}'|awk -F= '{print $2}'`
KVMID=`cat /proc/vmware/vm/$VMID/cpu/status |awk '{print $21}'|grep -v group|awk -F\. '{print $2}'`
/usr/lib/vmware/bin/vmkload_app -k 9 $KVMID
Suspend or snapshot a running system to get all the VM's RAM
Hi Edward,If you have the administrative and legal authority to stop a running VM and the willingness to do so in order to capture evidence, then you are better off suspending or taking a snapshot of the running VM so that a copy of the VM's virtual RAM is committed to a file on disk along with making the virtual disk images read only at the exact same time.
Then you can capture all the files related to that VM and perform analysis on the virtual disk image and memory image. And if you have acquired the logged-in users password (analysis, court order, etc), you could even resume that VM at a later date, as many times as you'd like to show it as it was when the evidence was captured (in court for example).