Unlike @JackCR's previous challenges, this one is 1. from a Linux server, and 2. does not have a memory component. Well, that is not entirely accurate, there is a memory dump but it is not usable because of the way that vmss2core produces a file that is not useful for linux memory forensics. Long story short, Volatility can now read vmem (VMWare memory) and vmss (VMWare Snapshot) natively - don't use vmss2core anymore!
↧