Data Collection

Data Collection Process

Let's start by pausing and creating a snapshot of the Windows machine.

Memory Acquisition

vboxmanage.exe list vms

This command helps us quickly identify the available VMs and their corresponding details in VirtualBox.

vboxmanage.exe debugvm 1b1f8a26-db71-4cbc-b778-dfbef16a600a dumpvmcore --filename win10-memory.raw

This command generates a raw memory dump of the VM identified by the provided UUID and saves it to a file named win10-memory.raw.

Let's hash the win10-memory.raw file to ensure its integrity and verify that the data remains unaltered during analysis.

certutil -hashfile win10-memory.raw > win10-memory-hash.txt

Disk Acquisition

Let's resume the Windows machine, proceed to shut it down, and then we'll create a disk image. This can be accomplished using either the Command Prompt or VirtualBox.

Using Command Prompt:

"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" list hdds

This is the UUID of the latest status that we need in order to create a clone of the virtual disk.

"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonemedium disk e58125c4-1c7b-408c-aa23-f105229e620f --format VHD win10-disk.vhd

certutil -hashfile win10-disk.vhd > win10-disk-hash.txt

PreviousPractical Windows Forensics NextExamination

Last updated 1 year ago