Dumping both RAM and HD of suspended machine

Discussion about using the VirtualBox API, Tutorials, Samples.
Post Reply
Iansus
Posts: 1
Joined: 26. Oct 2013, 12:15

Dumping both RAM and HD of suspended machine

Post by Iansus »

Hi !

I am currently working on a forensics project that requires that I have a snapshot of a machine, including the hard drive and the memory dump.
As it would be the best if both dumps could refer to the same state of the machine, I thought about using VBoxManage to dump those files from a suspended machine.

The problems I encountered were :
  • VBoxManage is unable to dump the memory of a machine in suspended state using vboxmanage debugvm "<vm_name>" dumpguestcore --filename <output>
  • I managed to dump the HD in RAW format using VBoxManage internalcommands converttoraw <input> <output>, but the input file would be the VDI disk which doesn't take into account the modification registered in the snapshot.
I would like to be able to :
  • Understand how the snapshot format is built so that :
  • I can dump the HD from the VDI file and patch it from the snapshot modifications
  • I can dump in a similar way the memory of a suspended machine
Thanks in advance,
Iansus
Top
noteirak
Site Moderator
Posts: 5229
Joined: 13. Jan 2012, 11:14
Primary OS: Debian other
VBox Version: OSE Debian
Guest OSses: Debian, Win 2k8, Win 7
Contact:
Contact noteirak

Re: Dumping both RAM and HD of suspended machine

Post by noteirak »

The memory dump is in the .sav file in the Snapshot folder. For the format, I don't think this is public documented, and is not available via the API.
The disk dump might work if you give the full path to the precise snapshot file of the VDI, again in the snapshot folder.
Hyperbox - Virtual Infrastructure Manager - https://apps.kamax.lu/hyperbox/
Manage your VirtualBox infrastructure the free way!
Top
Post Reply

Return to “The VirtualBox API”