We have a whole course on RAM acquisition and analysis! Get 5% off FULL COURSE with this link learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=TH-camRAM5
From "inside" the virtual machine, no. But if the virtual machine is suspended, then a copy of RAM has most likely been written to the host machine. You can also use the virtual machine manager to dump the memory of the virtual machine. If everything else failed, you can copy the RAM of the host machine that will contain the memory of the virtual machine, but that would be difficult to investigate.
If the software is Workstation, but I assume it is also true for other software, you can find a *.vmem and *.vmss files in the virtual machine folder. These are the RAM of your suspended machine and you need both to work with volatility for example.
Great video and thanks to dumping ram we can also bypass AES-256 XTS on warm and cold boot attacks ... Extract the FVEK from FS or RAM and mount the volume with BDE lib to mount the FS & Volatility to extract the key ...
Yes, it can. The original plugin to dump FVEK can be found here: github.com/volatilityfoundation/community/tree/master/MarcinUlikowski There are a few others that have written something based on the original: github.com/breppo/Volatility-BitLocker If you get the key you can use dislocker or Arsenal Image Mounter. Good luck!
We have a whole course on RAM acquisition and analysis! Get 5% off FULL COURSE with this link learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=TH-camRAM5
sry for the noob question.. its possible to collect RAM evidences for a Virtual Machine if, the Machine is a suspended/pause Mode?
From "inside" the virtual machine, no. But if the virtual machine is suspended, then a copy of RAM has most likely been written to the host machine. You can also use the virtual machine manager to dump the memory of the virtual machine. If everything else failed, you can copy the RAM of the host machine that will contain the memory of the virtual machine, but that would be difficult to investigate.
@@DFIRScience Thank you for your replay
If the software is Workstation, but I assume it is also true for other software, you can find a *.vmem and *.vmss files in the virtual machine folder.
These are the RAM of your suspended machine and you need both to work with volatility for example.
@@Nonoss75 cool, thanks for the advice
Great video and thanks to dumping ram we can also bypass AES-256 XTS on warm and cold boot attacks ...
Extract the FVEK from FS or RAM and mount the volume with BDE lib to mount the FS & Volatility to extract the key ...
Yes, it can. The original plugin to dump FVEK can be found here: github.com/volatilityfoundation/community/tree/master/MarcinUlikowski
There are a few others that have written something based on the original: github.com/breppo/Volatility-BitLocker
If you get the key you can use dislocker or Arsenal Image Mounter. Good luck!
hahahaha
🤔
man I missed this kind of tutorials lol. Great work here, thanks!!!
Thanks a lot! I'm working on a few more.
😢😂😢😢😊😂😊1😂😂😢😢😢😂😮