Recovering a virtual machine save file

[Voldemar180]

Hello everyone!

There was a problem with the save virtual machine file (sav). When I try to start, I see the error "The VM session..."
After reviewing the log see: 00:00:03.087175 ERROR [COM]: aRC=VBOX_E_FILE_ERROR (0x80bb0004) aIID={872da645-4a9b-1727-bee2-5585105b9eed} aComponent={ConsoleWrap} aText={VM cannot start because the saved state file 'C:\Users\Андрей\VirtualBox VMs\Linux Mint\Snapshots\2019-05-21T12-42-02-545875300Z.sav' is invalid (VERR_SSM_INTEGRITY_FOOTER). Delete the saved state prior to starting the VM}, preserve=false aResultDetail=-1821

How is it possible to open the sav file to recover data from there?
The fact is that in this preservation there was very important data for me, which is not on the disk (vdi) ...

Thank you in advance!

[mpack]

You can't recover a ".sav" file: it's a RAM dump, there is nothing to recover. You just need to discard the saved state, i.e. right click the VM in the manager and select "Discard saved state". The VM will act as if it had a virtual power cut at the point in time where it was suspended.

[Voldemar180]

The problem is that Linux Mint was loaded on the virtual machine without being installed on the disk. Ie I need to restore the memory dump.
I believe that it is still possible, but I do not know how ...

After reviewing HEX, I found this.
However, I need to somehow restore the mnemonic phrase of the wallet.

[mpack]

Dear lord. You had bitcoins stored in RAM only? With no backups?

In order to be able to repair data, there must be a correct structure that you can restore. I have never had any reason to pay attention to the .SAV file format as I would never use something as obviously unstable and non-portable, so I can't comment on what the correct structure would be. I don't know anyone who could. You would have to examine the source code, find out what that error message means, and patch the file to work around the message - e.g. copy the header to the footer (and this is a total guess, as I've said I have had no reason to ever look at SAV).

Alternatively. I gather that you have identified what part of RAM contained the RAMdisk used by the liveCD boot of Linux Mint. If you know what size the bitcoin file was - and if it was tiny (as I believe they are) then you can simply dump the appropriate number of sectors to a file on the host. You might try several file sizes until you find a file that's accepted as valid bitcoin by whatever validation tool you intend to use. If the file is big enough that it isn't stored in consecutive 4K clusters... then things are going to get rather complicated, if not impossible.

If possible you need to get hold of valid bitcoin data, to familiarize yourself with the file structure and typical file sizes. Typically that structure will have a header with a signature string and file length, to allow the parsing software to validate it correctly.

[mpack]

I just checked online, and it seems my guess was wrong that bitcoin (wallets) will be small. I assumed it would just be a short encrypted message, but apparantly the wallet stores a complete transaction history, and may range from a few hundred KB to several MB. I doubt whether files of that size can be recovered in the manner I suggested above.

So, alternative tack: if you can identify where the RAMdisk filesystem starts (this is a guest OS structure, you won't find anything about it in VirtualBox docs), then I would expect the RAMdisk as a whole ought to to occupy contiguous sectors, and the early sectors ought to tell you what size the RAMdisk was. It may be possible to extract a disk image and write that image to a physical disk, say a USB stick. You can then mount the filesystem and read off the files you wanted.

[Voldemar180]

You are the first who gave really useful advice. The mnemonic phrase for recovery was saved in a document on the desktop, so I can still find the data from this file in the dump. Thanks again )

[mpack]

It may be possible to extract a disk image and write that image to a physical disk, say a USB stick.

Or even easier: call "VBoxManage convertfromraw <imagefile> <outputfile.vdi>", to get a virtual disk image that can be mounted in a VM, or converted to a format that can be read by a host tool.

Incidentally: be sure not to confuse a file directory entry with the file contents, these will typically be a long way apart. Your hex dump above is very short, and has an unrelated name (Mozilla Firefox, corrupted) very close by. That section of the dump might just be a directory structure. It ought to be easier to unambiguously identify the start of a RAMdisk, especially if you know what partition scheme and filesystem it used. Being Linux my first guess would be EXT. Failing that I'd think FAT16 or FAT32.

[mpack]

More research.

Nope, apparantly Linux livecd boots typically something called "tmpfs" as a compact filesystem. The following page should be of interest: http://memoryforensics.blogspot.com/201 ... -with.html.