Description
1) This tool has been used back in 2014 for a CTF Challenge ASIS-QUALS-2014
2) I found this tool to be interesting and decided to save it here in my GitHub repository. I am not sure who the original author of the tool is, but I wanted to preserve it for future reference and potentially contribute to its development..
3) Also you must know that this tool use liblzf library.
LZF is an extremely fast (not that much slower than a pure memcpy)
compression algorithm. It is ideal for applications where you want to
save *some* space but not at the cost of speed. It is ideal for
repetitive data as well. The module is self-contained and very small.
Usage
Before we can use the tool, we need to clone or download it to our local machine.
git clone https://github.com/ab2pentest/VirtualBox_SavedState_Parser
After that we will need to compile it.
gcc parsevbox.c lzf_d.c -o parsevbox
gcc extract_screenshot.c -o extract_screenshot
Once we have compiled both files, we can run the tool by following these steps:
./parsevbox date_savedstateimage.sav
The process of running the tool may take several minutes, as it decompresses the .sav
file and generates additional files that may be useful for forensic analysis.
Great ! Now that the tool has finished running, we can examine the output files to see what they contain.
To extract the screenshot from the output, we can follow these steps:
1) Locate the file *.sav-DisplayScreenshot.out
in the output directory and rename it to vbox.img-DisplayScreenshot.out
.
2) Run the extract_screenshot
tool. This will generate three files: out.png
, out.raw
, and out.ppm
.
These files should contain the screenshot data, which we can view or analyze as needed.
mv *.sav-DisplayScreenshot.out vbox.img-DisplayScreenshot.out
./extract_screenshot
We can now preview the out.png
image file to see the screenshot.
Links
Original tool link: https://www.dropbox.com/sh/vtsk0ji7pqhje42/AABY57lRqinlwZpo8t9zzGYka
Original tool writeup (in Turkish): ASIS-QUALS-2014