Hello All,
I have a VBox running Ubuntu that I was given as evidence in a case I am working on (I am a digital forensic examiner). The system is in a saved state. If I discard the saved state, I can easily open the system but the investigation requires me to look at the processes that were running at the time the state was saved. Discarding the saved state means I cannot find out what was running. Running the system from a saved state gives me an error because the NIC card is different and based on my search, I cannot modify the NIC while the VM is in a saved state.
My question to the group is: Does anyone know of a program that can convert the .sav file into a raw memory dump or is there a program that can parse the .sav file and list out the processes that were running?
Thanks
Assistance Required
-
mpack
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Mostly XP
Re: Assistance Required
The format of the sav file can be found in the VBox sources. I doubt very much that you'll find software able to parse it and list running processes (other than the original VM) because any such tool is going to be incredibly (guest OS) version sensitive, in addition to being sensitive to the VBox version, host features etc.
ps. Moving to Linux guests.
ps. Moving to Linux guests.