Skip to content

McHughSecurity

  • Home
  • Blog
  • Security Operations
  • DFIR
    • Reverse Engineering
      • Dynamic Analysis
      • Static Analysis
  • Vuln. Mgmt
  • Intelligence
    • Open-Source Intelligence
    • Threat Intelligence
      • AIL Framework
      • MISP – Open Source Threat Intelligence Platform
      • OpenCTI
  • Threat Modelling
    • Attack Libraries
    • Attack Trees
    • Mitigating Techniques
    • SaaS Threat Modelling
    • Threat Models
    • Tools
    • Validating Threat Mitigations
  • Toggle search form
  • Using MISP in an air-gapped environment Design
  • [Part 3] Building a Threat Integration and Testing Lab – Splunk Enterprise Build
  • Implementing Elastic Cloud and using Elastic Security Build
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response
  • Using MISP in a TraceLabs Missing Persons engagement Blog
  • Threat hunting with Elasticsearch and Kibana (Part 1) Digital Forensics & Incident Response
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response
  • [Part 4] Building a Threat Integration and Testing Lab – MISP Threat Intelligence Sharing Platform Build

Extracting RAM from VirtualBox session

Posted on May 28, 2019 By A.McHugh No Comments on Extracting RAM from VirtualBox session

Over the last few months I have been playing with Cuckoo, and reworking its function to suit my own requirements. Part of this has involved the separation of components within Cuckoo into functional units.

This particular component relates to extracting the RAM from a VirtualBox machine for analysis after ceasing the VM.

For this to work we need to make sure volatility and virtualbox are installed.

Once the VirtualBox VM has been executed here is what we do to start capturing it’s memory:

#!/bin/bash 
vboxmanage debugvm $1 
dumpvmcore –filename=$1.elf 
size=0x$(objdump -h $1.elf | egrep -w “(Idx|load1)” | tr -s “ “ | cut -d “ “ -f 4) 
off=0x$(echo “obase=16;ibase=16;objdump -h $1.elf | egrep -w "(Idx|load1)" | tr -s " " | cut -d " " -f 7 | tr /a-z/ /A-Z/” | bc) 
head -c $(($size+$off)) $1.elf|tail -c +$(($off+1)) > $1.raw rm $1.elf 
volatility -f $1.raw imageinfo

This memory dump will last for the duration of the VM being run, but be aware depending on what is being analysed this could be quite a large memory dump, and will need to be further analysed to remove elements which are not relevant to what you are analysing.

Related

Digital Forensics & Incident Response, Operate Tags:malware, ram, virtualbox, volatility

Post navigation

Next Post: Building a Cuckoo Sandbox

Related Posts

  • Building a parallel-analysis Cuckoo server Digital Forensics & Incident Response
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response
  • External Analysis with VirusTotal Digital Forensics & Incident Response
  • Auto-updating Ubuntu 20.04 in less than 2 minutes Operate
  • Loading Windows Event Logs to Elasticsearch Digital Forensics & Incident Response
  • Building a Cuckoo Malware Analysis Server Digital Forensics & Incident Response

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

15 + fourteen =

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Search

Recent Posts

  • Auto-updating Ubuntu 20.04 in less than 2 minutes
  • Feeding Analysis Information Leak (AIL) Framework
  • An Introduction to Threat Intelligence
  • Deploying MISP on DigitalOcean or Vultr Cloud Hosting
  • Building CCCS’ AssemblyLine for Static Analysis

Archives

  • April 2022
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • September 2020
  • April 2020
  • March 2020
  • January 2020
  • May 2019
  • [Part 2] Building a Threat Integration and Testing Lab – Elastic Cloud Enterprise (On-Premises) Build
  • Using the Data Classification Taxonomies in MISP MISP - Open Source Threat Intelligence Platform
  • Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks. Digital Forensics & Incident Response
  • Deploying (and using) TheHive4 [Part 1] Build
  • External Analysis with VirusTotal Digital Forensics & Incident Response
  • [Part 1] Building a Threat Integration and Testing Lab Build
  • Implementing Elastic Cloud and using Elastic Security Build
  • Cuckoo Dynamic Malware Analysis Digital Forensics & Incident Response

Categories

  • AIL Framework
  • Blog
  • Build
  • Design
  • Digital Forensics & Incident Response
  • Frameworks
  • Intelligence
  • MISP – Open Source Threat Intelligence Platform
  • Open-Source Intelligence
  • Operate
  • Security Operations
  • Static Analysis
  • Threat Intelligence

Copyright © 2022 McHughSecurity.

Powered by PressBook News Dark theme