Assistance Required
Posted: 9. May 2013, 19:55
Hello All,
I have a VBox running Ubuntu that I was given as evidence in a case I am working on (I am a digital forensic examiner). The system is in a saved state. If I discard the saved state, I can easily open the system but the investigation requires me to look at the processes that were running at the time the state was saved. Discarding the saved state means I cannot find out what was running. Running the system from a saved state gives me an error because the NIC card is different and based on my search, I cannot modify the NIC while the VM is in a saved state.
My question to the group is: Does anyone know of a program that can convert the .sav file into a raw memory dump or is there a program that can parse the .sav file and list out the processes that were running?
Thanks
I have a VBox running Ubuntu that I was given as evidence in a case I am working on (I am a digital forensic examiner). The system is in a saved state. If I discard the saved state, I can easily open the system but the investigation requires me to look at the processes that were running at the time the state was saved. Discarding the saved state means I cannot find out what was running. Running the system from a saved state gives me an error because the NIC card is different and based on my search, I cannot modify the NIC while the VM is in a saved state.
My question to the group is: Does anyone know of a program that can convert the .sav file into a raw memory dump or is there a program that can parse the .sav file and list out the processes that were running?
Thanks