With the increased demand for Memory Forensics, and more people using Windows Hyper-V as a hypervisor it’s critical the DFIR community follows the proper triage process. Much like ESXi stores a .vmss file for each virtual machines memory Hyper-V stores them in a .bin and .vsv file, however currently it’s not as simple to preform memory analysis on these files. It’s possible with Hyper-V 2.0 files (Windows Server 2008R2) to convert the .bin and .vsv files into a crash dump using vm2dmp and then use the imagecopy plugin in Volatility to convert the crash dump into a raw dump that you can fully work with. However with Windows Server 2012 and newer the vm2dmp tool no longer works on the .bin and .vsv files. It’s still possible to use strings against these images however because of the compression Microsoft uses on these files the data doesn’t tell the entire story.
This presentation will cover everything from locating the .bin and .vsv files to converting and preforming memory analysis on Hyper-V Virtual Machines in a saved or snapshotted state from Windows Server 2008R2 – Windows Server 2012 R2 platforms. I will also briefly touch on how you can also use Microsoft Data Protection Manager to look at historical memory saved states to give the analyst an endless amount of data to work with. I will also discuss some of the current limitations I have discovered such as, any VM that has 4GB of RAM or more will cause the VM2DMP with an error like “ERROR: Failed to map guest block 4096 to any saved state block! ERROR: Element not found.” After we cover all the basics of analyzing the virtual machine layer, I’ll cover some basics of performing analysis on the hypervisor itself for signs of abnormal activity. I’ll also be show cases some new develop plugins for volatility for analyzing hyper-v systems.