Taking a VM Snapshot
Overview
Being able to revert back to a clean state is extremely useful when analyzing malware. This is one of the many reasons to always use a VM when reversing malicious programs. In this walkthrough, you will learn how to create a VM snapshot on the class lab infrastructure.
Goals:
- Learn to create and restore from a snapshot.
- Learn how to disable and re-enable a network interface in Windows.
Estimated Time: 15 Minutes
Taking a Snapshot
First navigate to your VM at https://lab.aces.umd.edu
Open the VM settings
Click on the “snapshots” tab
Choose a name for your snapshot
Tip
It make take a minute for your snapshot to finish. Wait a beat, then refresh the page.
You can use the “restore” button to revert your VM back to the original state
Disable Networking (Optional)
Note
This method of disabling networking is not perfect because it is a setting that is changed on the VM’s operating system. A sufficiently advanced malware could potentially just reconnect the adapter. However, that should not be an issue for this class.
A better approach would be to disable the network interface from the hypervisor’s settings. (A hypervisor, is the program that runs your VM).
Open the Ethernet settings on your Windows VM
Navigate to the “Network and Sharing Center” in Control Panel
Disable the interface to stop network connectivity
NOTE
When you disable network connectivity, your VM background will change. The red-ish glowing outline will disappear.
To reconnect, use the adapter settings on the left-hand side
Right click on the interface to enable it
