Windows Forensics
Memory acquisition of the target system
As we examine our incident response setup, you'll notice the compromised virtual machine in the background. It's currently paused and greyed out, which is crucial for preserving the state of our target system. Now, we're going to proceed with evidence acquisition, adhering strictly to the order of volatility principle. In digital forensics, the order of volatility dictates that we collect the most volatile data first. In this case, we'll start with the system's memory dump, followed by the disk image. These two artifacts will form the cornerstone of our subsequent analysis. Before we begin the acquisition process, it's essential to establish a secure storage location on our host system. I prefer to create a dedicated evidence folder within my documents directory. This approach ensures proper organization and easy access during the investigation. Let's go ahead and create this folder now – we'll simply name it 'Evidence'. Remember, maintaining the integrity of our evidence is paramount. Each step we take must be documented and should be repeatable to ensure the admissibility of our findings in potential legal proceedings. As we move forward with the acquisition, we'll use write-blockers and calculate hash values to verify the integrity of our collected data.
Now that we've created our evidence folder, we'll store the memory dump and disk image here. VirtualBox provides a powerful command-line utility that allows us to export memory, manage disks, and adjust settings. For efficiency, let's open a terminal directly in this folder to avoid navigation issues.
Here's my terminal open in the documents folder. We'll be using a utility called 'VirtualBox Manage', which is essential for our forensic acquisition process.
vboxmanage
For Windows users: You can access this utility by either specifying the full path (typically C:\Program Files\Oracle\VirtualBox\VBoxManage.exe) or by adding the VirtualBox directory to your PATH environment variable. Once set up, you can use the 'vboxmanage' command as I'll demonstrate on my MacBook.
To run the utility by pointing to the full path:
C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"
To add the VirtualBox folder to your PATH, use the command: set path=%path%;C:\Program Files\Oracle\VirtualBox. This allows you to run 'vboxmanage' from any directory. Choose whichever method suits your workflow best.
Alternatively, to add VirtualBox to the PATH environment variable:
SET PATH=%PATH%;C:\Program Files\Oracle\VirtualBox
After adding to PATH, you can simply use the vboxmanage command directly:
vboxmanage.exe
The 'vboxmanage' utility offers numerous options, but we're particularly interested in memory acquisition. The command we need is
VirtualBox Manage debugvm [VM_NAME] dumpvmcore
This command creates a memory dump of our target virtual machine.
To identify our target VM, we can use the command
vboxmanage list vms
This lists all VMs currently installed in VirtualBox.
To dump the virtual machine's memory:
VirtualBoxManage debugvm [VM Name] dumpvmcore --filename=[Output File]
To list all virtual machines:
vboxmanage list vms
In my case, I have multiple VMs, but we're focusing on the Ms. Edge machine. Let's copy its unique identifier (UNIQUEID) for use in our memory dump command.
Now, we'll execute our memory dump command:
vboxmanage debugvm UNIQUEID dumpvmcore "Windows 10 memory.raw"
This command creates a memory dump of our target virtual machine.
To list all virtual machines and find the ID of the target VM
vboxmanage list vms
To execute the command for extracting the memory dump
vboxmanage debugvm [VM ID] dumpvmcore --filename=win10-memory.raw
This creates a raw memory dump in our evidence folder.
Replace [VM ID]
with the unique identifier of the MS. Edge machine (or your target VM) and [Output File]
with your desired file name, such as 'Windows 10 memory.raw'. This will extract a raw dump of the VM's memory into the evidence folder.
The extraction process will take some time. Once complete, you should see a new file named 'Windows 10 memory.raw' in the evidence folder, approximately 4GB in size, corresponding to the VM's assigned memory.
As a crucial step in our forensic process, we need to calculate and record the hash of this file. This ensures file integrity and allows us to detect any subsequent modifications. We'll use the 'shasum' utility and pipe the output to a text file:
shasum "Windows 10 memory.raw" > "Windows 10 memory hash.txt
This creates a text file containing the SHA-1 hash of our evidence file. Always verify this hash when processing or sharing the evidence to maintain its forensic integrity.
Windows Forensics Navigation
Data Collection Process Overview
4.2 Memory Acquisition This Page
4.3 Disk Acquisition