Virtual machines use a portable, hardware-independent environment to perform essentially the same role as an actual computer. Activities performed under the virtual umbrella leave trails mostly in the VM image files and not on the host computer. The ability to analyze virtual machines becomes essential when performing digital investigations.
VBoxManage is the command-line interface to Oracle VM VirtualBox. With it, you can completely control Oracle VM VirtualBox from the command line of your host operating system. It supports all the features that the GUI gives you access to, but it supports a lot more than that. It exposes all the features of the virtualization engine, even those that cannot be accessed from the GUI. The VBoxManage utility can be found at the following location:
<%SYSTEMROOT%>\Program Files\Oracle\VirtualBox\VBoxManage.exe
To list all the VMs available in the system, enter the following command:
C:\Users\JOSEPH>vboxmanage list vms
"Windows 7" {621ee4af-dd94-452e-a204-1bd982120dd5}
"Metasploitable Linux" {c13eb99e-84fb-430f-90f2-837207ca34f8}
"Kali" {a3907521-4b91-4518-8098-511744e7da93}
"CSI Linux 2021.2" {c9365f17-20ba-4dda-9f43-95e7a43677af}
"Ubuntu" {797001f0-9f5d-4090-944d-255e9a62a0a8}
"Ubuntu Server" {170b7ed7-b8d5-45a4-b256-1f9a200346d4}
To obtain verbose information for each of the available VMs, the above command can be modified by adding the -l switch or --long flag as shown below: The output shows you all the registered VMs and detailed information such as the configuration of each VM, hardware details, settings, etc.
C:\Users\JOSEPH>vboxmanage list vms -l
Name: Windows 7
Encryption: disabled
Groups: /
Guest OS: Windows 7 (64-bit)
UUID: 621ee4af-dd94-452e-a204-1bd982120dd5
Config file: C:\Users\JOSEPH\VirtualBox VMs\Windows 7\Windows 7.vbox
Snapshot folder: C:\Users\JOSEPH\VirtualBox VMs\Windows 7\Snapshots
Log folder: C:\Users\JOSEPH\VirtualBox VMs\Windows 7\Logs
Hardware UUID: 621ee4af-dd94-452e-a204-1bd982120dd5
Memory size: 2048MB
Page Fusion: disabled
VRAM size: 100MB
CPU exec cap: 100%
HPET: disabled
CPUProfile: host
Chipset: piix3
Firmware: BIOS
Number of CPUs: 2
Identify, and note the UUID of the Virtual Machine of interest from the above output. In live investigations, you may be interested in listing only the Virtual Machines that are currently running. This can be done using the command below:
C:\Users\JOSEPH>vboxmanage list runningvms
"Windows 7" {621ee4af-dd94-452e-a204-1bd982120dd5}
If on arrival at the scene, the computer system is powered on, the investigator is encouraged to obtain a memory dump of the host Operating system as well as that of the running VMs. A good command that might indicate active installation of Oracle VM VirtualBox on the system is the ipconfig /all command.
Another handy command that can reveal the presence of Oracle VM VirtualBox in the machine especially if it has been added to PATH by the suspect is:
C:\Users\JOSEPH>where vboxmanage
C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
Once it has been established that Oracle VM VirtualBox is installed in the computer of the suspect, the investigator can obtain a list of running VMs by entering the command discussed in previous paragraphs. A memory dump of each of the running VMs can be obtained by entering the command below (in my case Windows 7 VM is running). Navigate to the directory of the vboxmanage utility (<%SYSTEMROOT%>\Program Files\Oracle\VirtualBox\) via the Windows command prompt before entering the command. You can specify the VM name as it is shown in the Oracle VM VirtualBox GUI or enter its UUID as revealed in the previous commands. Note that if that name contains spaces, then you must enclose the entire name in double quotes.
vboxmanage debugvm "Windows 7" dumpvmcore --filename=D:\Hackware\Win7.dmp
vboxmanage debugvm 621ee4af-dd94-452e-a204-1bd982120dd5 dumpvmcore --filename=D:\Hackware\Win7.dmp
Now you can convert this core dump to a memory dump using Volatility's imagecopy plugin as shown below:
C:\Users\JOSEPH>volatility -f D:\Hackware\win7.dmp imagecopy -O D:\Hackware\win7.raw
Volatility Foundation Volatility Framework 2.6
Writing data (5.00 MB chunks): |.........................................................................................................................................................................................................................................................................................................................................................................................................................................................|
Volatility can now ingest this file like any other memory dump.
C:\Users\JOSEPH>volatility -f D:\Hackware\win7.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (D:\Hackware\win7.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002801070L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff80002802d00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2023-06-23 05:55:39 UTC+0000
Image local date and time : 2023-06-22 22:55:39 -0700
When a Virtual Machine is created on the Oracle VirtualBox hypervisor, Windows creates a directory to store each of the Virtual Hard Disks of the Virtual Machines in the following folder:
<%SYSTEMROOT%>\Users\<Username>\VirtualBox VMs
To create a forensic image of the suspect virtual hard disk for offline analysis, enter the following command:
C:\Windows\system32>vboxmanage clonehd "C:\Users\JOSEPH\VirtualBox VMs\Windows 7\Windows 7.vdi" "D:\Win7.001" --format raw
0%...
This command clones the Virtual Hard Disk or VDI file as a bitstream image with the specified path and filename. Wait for the process to complete. It may take some time depending on the size of the virtual machine's disk.
After the process is completed, you should have a bitstream image of the specified VirtualBox virtual machine at the location you provided. This can then be analyzed using offline forensics tools.
Post a Comment