Dumping Memory

Discussion in 'General Questions' started by ShaneK1, Oct 16, 2021.

  1. ShaneK1

    ShaneK1 Bit poster

    Messages:
    3
    I know that I can run "prlctl list -a" to get the list of VM's and then run "prlctl internal UUID dbgdump --path ~/somepath to dump the memory of a VM. However is there a way to dump the memory from a snapshot without having to turn it back on? I see that in the Snapshots directory there is a file called {UID}.mem but this is not properly formatted to be utilized with a tool like Volatility. Well at least when I tried it it didn't work. If it's possible I would like to be able to perform memory forensics on a snapshot without having to turn it back on which could potentially stomp on any important artifacts.
     
  2. GampaA@P

    GampaA@P Pro

    Messages:
    443
  3. ShaneK1

    ShaneK1 Bit poster

    Messages:
    3
    That article is not for "clearing" a memory dump. The article also doesn't address the question.

    Is it possible to dump the memory of a snapshotted vm "without having to revert to said snapshot and power it on", since there is already a mem file present. As I mentioned previously, the mem file that is present is not the same format as the one that is created with prlctl command.
     
  4. GampaA@P

    GampaA@P Pro

    Messages:
    443
  5. ShaneK1

    ShaneK1 Bit poster

    Messages:
    3
    Yes that is the first thing I stated in my original question. It only works on running VM's. So, in other words the answer is "no".
    It would be great if people actually read the questions before they provided an answer.
     
  6. DebasmitaM

    DebasmitaM Forum Maven

    Messages:
    1,142
    Hi, please let us know which version of Parallels Desktop you are using.
     

Share This Page