Dumping both RAM and HD of suspended machine

Discussion about using the VirtualBox API, Tutorials, Samples.

Dumping both RAM and HD of suspended machine

Postby Iansus » 26. Oct 2013, 12:23

Hi !

I am currently working on a forensics project that requires that I have a snapshot of a machine, including the hard drive and the memory dump.
As it would be the best if both dumps could refer to the same state of the machine, I thought about using VBoxManage to dump those files from a suspended machine.

The problems I encountered were :
  • VBoxManage is unable to dump the memory of a machine in suspended state using vboxmanage debugvm "<vm_name>" dumpguestcore --filename <output>
  • I managed to dump the HD in RAW format using VBoxManage internalcommands converttoraw <input> <output>, but the input file would be the VDI disk which doesn't take into account the modification registered in the snapshot.

I would like to be able to :
  • Understand how the snapshot format is built so that :
  • I can dump the HD from the VDI file and patch it from the snapshot modifications
  • I can dump in a similar way the memory of a suspended machine

Thanks in advance,
Iansus
Iansus
 
Posts: 1
Joined: 26. Oct 2013, 12:15

Re: Dumping both RAM and HD of suspended machine

Postby noteirak » 27. Oct 2013, 23:50

The memory dump is in the .sav file in the Snapshot folder. For the format, I don't think this is public documented, and is not available via the API.
The disk dump might work if you give the full path to the precise snapshot file of the VDI, again in the snapshot folder.
Hyperbox - Virtual Infrastructure Manager - https://kamax.io/hbox/
Manage your VirtualBox infrastructure the free way!
noteirak
Site Moderator
 
Posts: 5198
Joined: 13. Jan 2012, 11:14
Primary OS: Debian other
VBox Version: OSE Debian
Guest OSses: Debian, Win 2k8, Win 7


Return to The VirtualBox API

Who is online

Users browsing this forum: No registered users and 0 guests