# Data Collection

## Data Collection Process

Let's start by pausing and creating a snapshot of the Windows machine.

<figure><img src="/files/OQSu8nYuxlW8gmE7keYJ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/sWubztEGlYhVARMsQWEm" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XycfeEaVGtIyG26Lpkp3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/oxJnHIkYmdCPcGhNRY5Y" alt=""><figcaption></figcaption></figure>

### Memory Acquisition

```bash
vboxmanage.exe list vms
```

<figure><img src="/files/lwLKx8aRQ8CAmKsPcoKF" alt=""><figcaption></figcaption></figure>

This command helps us quickly identify the available VMs and their corresponding details in VirtualBox.

```bash
vboxmanage.exe debugvm 1b1f8a26-db71-4cbc-b778-dfbef16a600a dumpvmcore --filename win10-memory.raw
```

<figure><img src="/files/PEOHuNxBDR0CVXjSurov" alt=""><figcaption></figcaption></figure>

This command generates a raw memory dump of the VM identified by the provided UUID and saves it to a file named `win10-memory.raw`.

Let's hash the `win10-memory.raw` file to ensure its integrity and verify that the data remains unaltered during analysis.

```bash
certutil -hashfile win10-memory.raw > win10-memory-hash.txt
```

<figure><img src="/files/WHzvpxZDVH9ZCSpf56DJ" alt=""><figcaption></figcaption></figure>

### Disk Acquisition

Let's resume the Windows machine, proceed to shut it down, and then we'll create a disk image. This can be accomplished using either the Command Prompt or VirtualBox.

<figure><img src="/files/pLqEEBI065iKE5BaYDwI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EAQO3hCzO2fZ22mdfvuR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/edLksDFpNpa8H2PLnaWh" alt=""><figcaption></figcaption></figure>

Using Command Prompt:

```bash
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" list hdds
```

<figure><img src="/files/yRDOXV8txveTdjBYS4K1" alt=""><figcaption></figcaption></figure>

This is the UUID of the latest status that we need in order to create a clone of the virtual disk.

```bash
"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonemedium disk e58125c4-1c7b-408c-aa23-f105229e620f --format VHD win10-disk.vhd
```

<figure><img src="/files/bll43wei0P0PDppoeOLM" alt=""><figcaption></figcaption></figure>

```bash
certutil -hashfile win10-disk.vhd > win10-disk-hash.txt
```

<figure><img src="/files/5tNPli169XnEkvGnVYU0" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/practical-windows-forensics/data-collection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.