Windows Forensics

Memory acquisition of the target system

As we examine our incident response setup, you'll notice the compromised virtual machine in the background. It's currently paused and greyed out, which is crucial for preserving the state of our target system. Now, we're going to proceed with evidence acquisition, adhering strictly to the order of volatility principle. In digital forensics, the order of volatility dictates that we collect the most volatile data first. In this case, we'll start with the system's memory dump, followed by the disk image. These two artifacts will form the cornerstone of our subsequent analysis. Before we begin the acquisition process, it's essential to establish a secure storage location on our host system. I prefer to create a dedicated evidence folder within my documents directory. This approach ensures proper organization and easy access during the investigation. Let's go ahead and create this folder now – we'll simply name it 'Evidence'. Remember, maintaining the integrity of our evidence is paramount. Each step we take must be documented and should be repeatable to ensure the admissibility of our findings in potential legal proceedings. As we move forward with the acquisition, we'll use write-blockers and calculate hash values to verify the integrity of our collected data.

Untitled

Now that we've created our evidence folder, we'll store the memory dump and disk image here. VirtualBox provides a powerful command-line utility that allows us to export memory, manage disks, and adjust settings. For efficiency, let's open a terminal directly in this folder to avoid navigation issues.

Untitled

Here's my terminal open in the documents folder. We'll be using a utility called 'VirtualBox Manage', which is essential for our forensic acquisition process.

vboxmanage

Untitled

For Windows users: You can access this utility by either specifying the full path (typically C:\Program Files\Oracle\VirtualBox\VBoxManage.exe) or by adding the VirtualBox directory to your PATH environment variable. Once set up, you can use the 'vboxmanage' command as I'll demonstrate on my MacBook.

To run the utility by pointing to the full path:

C:\Program Files\Oracle\VirtualBox\VBoxManage.exe"

Untitled

Untitled

To add the VirtualBox folder to your PATH, use the command: set path=%path%;C:\Program Files\Oracle\VirtualBox. This allows you to run 'vboxmanage' from any directory. Choose whichever method suits your workflow best.

Alternatively, to add VirtualBox to the PATH environment variable:

SET PATH=%PATH%;C:\Program Files\Oracle\VirtualBox

After adding to PATH, you can simply use the vboxmanage command directly:

vboxmanage.exe

Untitled

Untitled

The 'vboxmanage' utility offers numerous options, but we're particularly interested in memory acquisition. The command we need is

VirtualBox Manage debugvm [VM_NAME] dumpvmcore

This command creates a memory dump of our target virtual machine.

Untitled

To identify our target VM, we can use the command

vboxmanage list vms

This lists all VMs currently installed in VirtualBox.

Untitled

To dump the virtual machine's memory:

VirtualBoxManage debugvm [VM Name] dumpvmcore --filename=[Output File]

To list all virtual machines:

vboxmanage list vms

In my case, I have multiple VMs, but we're focusing on the Ms. Edge machine. Let's copy its unique identifier (UNIQUEID) for use in our memory dump command.

Untitled

Now, we'll execute our memory dump command:

vboxmanage debugvm UNIQUEID dumpvmcore "Windows 10 memory.raw"

This command creates a memory dump of our target virtual machine.

To list all virtual machines and find the ID of the target VM

vboxmanage list vms

To execute the command for extracting the memory dump

vboxmanage debugvm [VM ID] dumpvmcore --filename=win10-memory.raw

This creates a raw memory dump in our evidence folder.

Replace [VM ID] with the unique identifier of the MS. Edge machine (or your target VM) and [Output File] with your desired file name, such as 'Windows 10 memory.raw'. This will extract a raw dump of the VM's memory into the evidence folder.

Untitled

The extraction process will take some time. Once complete, you should see a new file named 'Windows 10 memory.raw' in the evidence folder, approximately 4GB in size, corresponding to the VM's assigned memory.

Untitled

As a crucial step in our forensic process, we need to calculate and record the hash of this file. This ensures file integrity and allows us to detect any subsequent modifications. We'll use the 'shasum' utility and pipe the output to a text file:

shasum "Windows 10 memory.raw" > "Windows 10 memory hash.txt

This creates a text file containing the SHA-1 hash of our evidence file. Always verify this hash when processing or sharing the evidence to maintain its forensic integrity.

Untitled

Windows Forensics Navigation

  1. Windows Forensics Overview 

  2. Blueprint 

  3. Forensic Workstation Setup

  4. Data Collection Process Overview

    4.1 Target System Containment

    4.2 Memory Acquisition This Page

    4.3 Disk Acquisition

  5. Forensic Data Examination