I am currently working on a forensics project that requires that I have a snapshot of a machine, including the hard drive and the memory dump.
As it would be the best if both dumps could refer to the same state of the machine, I thought about using VBoxManage to dump those files from a suspended machine.
The problems I encountered were :
- VBoxManage is unable to dump the memory of a machine in suspended state using vboxmanage debugvm "<vm_name>" dumpguestcore --filename <output>
- I managed to dump the HD in RAW format using VBoxManage internalcommands converttoraw <input> <output>, but the input file would be the VDI disk which doesn't take into account the modification registered in the snapshot.
- Understand how the snapshot format is built so that :
- I can dump the HD from the VDI file and patch it from the snapshot modifications
- I can dump in a similar way the memory of a suspended machine
Iansus