Main menu

VSICM51 - Slide 07-54 - Virtual Machine Snapshot Files


The slide notes contain an entire paragraph which is rather confused and needs to be intensively revised:

The snapshot state file uses a .vmsn extension and stores metadata about each active virtual machine. A .vmsn file is created for each snapshot taken. The .vmsn file contains the name of the VMDK, the display name and description, and an identifier of each snapshot.

The first phrase is a mess! A .vmsn file contains a fairly complex structure layout which holds the physical memory runs, the VM configuration data, CPU registers, and even a PNG thumbnail of the VM screen at the time the snapshot was taken. This file is tied up only to its related VM, and does not "store metadata about each active virtual machine" as notes state. Every VM will have its/their own .vmsn file(s), one per each snapshot taken.

What is being described, instead, in the third phrase is the .vmsd file, aka the snapshot list file, not the .vmsn one as the notes state.


An advanced memory forensics framework, Volatility, can analyze VMware snapshot files. It is also possible to convert a .vmsn file to a raw dd-style memory dump by extracting the physical memory runs to a separate file by using the Volatility imagecopy plugin.

Last modified onThursday, 12 December 2013 19:23
Rate this item
(0 votes)
back to top