[Image Forensics] VMware virtual machine configuration file forensics
In virtual machine forensics, we usually focus on three files: .log, .vmdk, and .vmem, which contain most of the data and information of the virtual machine. —【suy】
test environment
1、VMware® Workstation 16 Pro(V16.1.2 build-17966106)
2. Microsoft windows 11 Professional Edition (V22000.282)
Virtual machine suspended state
Introduction to virtual machine files
| serial number | name | content | Remark |
|---|---|---|---|
| 01 | .log | Virtual machine - log records of debugging operation status; such as file creation, USB access, virtual machine operation status, basic operating system information, user behavior time, etc. | Log |
| 02 | .vmdk | Virtual machine - a virtual disk file that records all data generated by the operating system. | disk |
| 03 | .in my | Virtual machine-memory file. | Memory |
| 04 | .vmsd | Used to store metadata and description information of virtual machine snapshot files. The information includes UID number, snapshot file name, snapshot comments, disk file for executing the snapshot, total number of snapshots, etc. The initial size is 0 bytes and continues to increase as the number of snapshots increases. | |
| 05 | .vmsn | Virtual machine - a file automatically created when creating a snapshot, used with the .vmsd file | Snapshot |
| 06 | .vmss | Virtual machine - information file in suspended state (only in suspended state of virtual machine!) | |
| 07 | .vmx | Virtual Machine-Hardware Profile | |
| 08 | .vmxf | Virtual Machine-Additional Configuration File | |
| 09 | .nvram | Store virtual machine BIOS status information | |
| 10 | .Ick | dynamic files |
1、log
vmware-0.log, vmware-1.log, etc. are used to record vmware work logs.
2、vmdk
Virtual machine virtual disk file records all data generated in the operating system.
3、vme
The virtual memory file, the same as the local memory file pagefile.sys (paging file), contains the operating system's kernel data structure, processes, threads, data in the heap, and other sensitive information of the user such as user-entered passwords, chat information, etc. ; After the system in a normal virtual machine is shut down, the vmem file will disappear; but when the virtual machine system is suspended, the file will remain local.
In [ .
In [ Virtual Machine-Snapshot] , the [Virtual Machine Name-Snapshot Snapshot Name.vmem] and [Virtual Machine Name-Snapshot Snapshot Name.vmsn] files appear in pairs .
4、vmsd
Record the relevant information and metadata of the virtual machine snapshot, and record .vmsn and .vmdk together.
5、vmsn
This file is automatically created when a virtual machine creates a snapshot. It increases automatically according to the number of snapshots. If there is no snapshot, the file does not exist.
6、vmss
Virtual machine - information file in suspended state (only available in suspended state of virtual machine!)
In [ .
7、vmx
Virtual Machine-Hardware Profile
8、vmxf
Virtual machine - additional configuration file, records the auxiliary configuration file of the virtual machine.
9、nvram
Stores virtual machine BIOS status information, but you don't need to pay attention to it.
10、lck
This directory is a directory ending with .lck that is automatically created by the virtual machine system when it is powered on. It is used to lock the vmx folder and will be automatically deleted after the virtual machine is shut down. It is also used for files and folders ending with .lck that are retained to protect the disk file data of the virtual system when the virtual machine exits abnormally.
When starting the virtual machine system, if an error message "The virtual machine is being used and has acquired ownership" appears, you can delete it and the virtual machine can generally be started normally.
Summarize
As evidence collection becomes more and more automated, it is also necessary to learn more basic principles.
| name | time |
|---|---|
| Start editing date: | November 01, 2021 |
| Last edited date: | November 01, 2021 |