Created by Blue Cape Security, LLC for the Practical Windows Forensic (PWF) course, highlighting important Windows forensic processes and artifacts.

Data Collection

⚠️ Suspend the Virtual Machine before taking memory images.

VirtualBox

Memory

vboxmanage list vms
vboxmanage debugvm <VM_UUID> dumpvmcore --filename win10-mem.raw

Disk

vboxmanage list vms
vboxmanage showvminfo <VM_UUID>
vboxmanage clonemedium disk <disk_UUID>

VMware

Memory

Collect .vmem, .vmss, and .vmsn files.

Disk

Collect .vmdk files for the snapshot.

Merge split files:

"C:\\Program Files (x86)\\VMware\\VMware Player\\vmware-vdiskmanager.exe" -r <disk>.vmdk -t 0 MyNewImage.vmdk

Hashing

# Windows
Get-FileHash -Algorithm SHA1 <file>

# Mac/Linux
shasum <file>