Hey Adam,
Try running the vboxinfo plugin on your .elf file and look at the memory segmentation. Most likely you will see a range starting at 0xE0000000 which is for the virtualbox hardware device memory (vga, pci, etc). The imagecopy plugin will 0-pad your raw dump to be large enough to include those memory segments. This won't happen when you convert formats like crash, hiber, etc into raw because those don't contain the hardware memory ranges to begin with. A bit more info is in the meta-data section of https://code.google.com/p/volatility/wiki/VirtualBoxCoreDump.
Hope this helps,MHL
On Wed, Aug 28, 2013 at 2:34 PM, Adam Bridge <adam.bridge@yahoo.com> wrote:
Hi all,
I'm definitely still learning with memory forensics, but I can't get my
head around this one.
I created a Virtualbox VM of Win7SP1x86 with 512MB RAM.
I disabled the pagefile - confirmed with reboot that pagefile.sys
disappeared.
I disabled pae - confirmed with reboot followed by: wcim os get
PAEEnabled, returned FALSE.
I then used:
vboxmanage debugvm "Win7" dumpguestcore --filename test.elf
to grab the ELF64 dump.
This file is: 569.5MB
I then used:
python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw
test.raw is: 4.0GB
Given that pae is off and pagefile.sys is off, where has the extra data
come from?!
I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB,
but where has the extra data come from?
Is it all going to be 0-padded or have I done something wrong somewhere?!
Any clues, tips, links to read, and flames welcome.
Adam
--
If you like, we could go PGP..?
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-- If you like, we could go PGP..?