After first announcement made at VMworld 2006 in last November, VMware customers had few chances to really understand how the new Record/Replay feature is really going to work in upcoming Workstation 6.0.
Now Steve Herrod, Vice President of of Technology Development, finally writes a long article on its corporate blog describing what can be done with it:
When you enable the Record/Replay feature, VMware Workstation immediately takes a snapshot of the full VM state, continues guest software execution, and begins tracking its execution behavior. We’re not talking about a movie of what’s on the screen, but the full system behavior including all CPU and device activity. It notes the exact point in time when every device interrupt or other asynchronous event occurs and records this information to a compressed log file until you tell it to stop. It actually has to save a few other things such as the contents of all incoming networking packets, too.
When you choose to replay the recording, it restarts the VM from the snapshot and faithfully re-creates the recorded execution by feeding the logged events and data back to the VM at the exact points in time when they occurred during the original execution. The result is that the exact same execution path is followed during replay. And since the log is saved to disk, you can share the exact execution scenario with others and replay it over and over and over again.
This behaviour makes Record/Replay feature incredibly useful for software debugging, but so far was unclear if it’s suitable also for other purposes. Steve finally clarifies:
We also allow you to “go live” at any time, aborting the rest of the replay and allowing new interactions and new behaviors to proceed. One analogy is autopilot for an airplane. You can disengage it at any point in the trip, go to manual control, and head off in a new direction from that point.
We’ve also added “in-guest recording control”. This lets guest software start and stop VM Record/Replay itself…
Capabilities to go live at any point during replay and to invoke recording from inside the guest OS, suddently make Record/Replay the most wanted feature in security industry as well.
While it has limited application in Workstation, imagine this feature available in Server and ESX Server, used for production virtual datacenters: a new class of intrusion detection systems (IDS), sitting at host or guest level and recognizing incoming malicious or anomalous traffic, may activate virtual machines recording. After attack, during forensic analysis of compromised systems, security admins may replay the whole attack and go live immediately after break in, to check which kind of exploiting technique has been used, which kind of files have been injected, etc.
Despite Record/Replay is still an experimental feature, still planned for Workstation 6.0 only, one day it could really change the way we do forensic analysis.
Read the whole article at source.