Skip to content

ab2pentest/VirtualBox_SavedState_Parser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VirtualBox Saved State Parser (For Forensics)

Description:

  1. This tool has been used back in 2014 for a CTF Challenge ASIS-QUALS-2014

  2. I found this tool to be interesting and decided to save it here in my GitHub repository. I am not sure who the original author of the tool is, but I wanted to preserve it for future reference and potentially contribute to its development..

  3. Also you must know that this tool use liblzf library.

LZF is an extremely fast (not that much slower than a pure memcpy)
compression algorithm. It is ideal for applications where you want to
save *some* space but not at the cost of speed. It is ideal for
repetitive data as well. The module is self-contained and very small.

Usage

Before we can use the tool, we need to clone or download it to our local machine.

git clone https://github.com/ab2pentest/VirtualBox_SavedState_Parser

After that we will need to compile it.

gcc parsevbox.c lzf_d.c -o parsevbox
gcc extract_screenshot.c -o extract_screenshot

2022-02-23_01-57-12

Once we have compiled both files, we can run the tool by following these steps:

./parsevbox path/to/name.sav

The process of running the tool may take several minutes, as it decompresses the .sav file and generates additional files that may be useful for forensic analysis.

2022-03-26_18-14-05

Great ! Now that the tool has finished running, we can examine the output files to see what they contain.

2022-03-26_18-15-02

To extract the screenshot from the output, we can follow these steps:

  1. Locate the file *.sav-DisplayScreenshot.out in the output directory and rename it to vbox.img-DisplayScreenshot.out.
mv *.sav-DisplayScreenshot.out vbox.img-DisplayScreenshot.out
  1. Run the extract_screenshot tool and then enter the path of the directory containing vbox.img-DisplayScreenshot.out. This will generate three files, namely out.png, out.raw, and out.ppm, under the same directory.

These files should contain the screenshot data, which we can view or analyze as needed.

2022-03-26_18-22-49

We can now preview the out.png image file to see the screenshot.

2022-03-26_18-23-55

Links

Original tool link: https://www.dropbox.com/sh/vtsk0ji7pqhje42/AABY57lRqinlwZpo8t9zzGYka

Original tool writeup (in Turkish): ASIS-QUALS-2014