in spite of the fact that the main point of virtualization is having "containerized" environments for every instanced OS without sharing memory space, are there techniques to make forensics on either online or offline (paused) virtual machines?
Question is biased towards the fact I hope there is no such possibility, but than again, my concern is the fact that, in very layman's terms, when you pause your virtual machine, memory should be "dumped" somewhere on the host in order to restore it later.
Is it possible to access (read only) sensitive information from the VM in that case? If so, are there mitigation procedures for such events and how should they be properly applied?
With my very best,
Bruno
Virtual machine physical memory is usually presented as a file on a host operating system.
For Hyper-V – VMRS files in VM folder. There is also a converter from Microsoft - https://github.com/CSS-Windows/WindowsDiag/tree/master/SHA/vm2dmp
For ESXi – VMEM files. Here is a description, how to convert to dmp - https://support.arcserve.com/s/article/206136986?language=en_US
You should assume yes.
It varies depending on the product. For example, Hyper-V production checkpoints do not include memory. For VMWare, creating a snapshot and extracting the memory is fairly trivial.
Mitigations will also vary depending on the product. Microsoft Hyper-V 2016 and higher has Shielded VM's/Virtual TPM/BitLocker. VMWare VSphere 6.7 and higher has VM-level disk encryption/encrypted VMotion/Virtual TPM, although I'm not sure if it has feature-parity with Shielded VM's but it's certainly better than not using it.
I'm not aware of any other hypervisors on the market with this capability.