Dumping Memory

Discussion in 'General Questions' started by ShaneK1, Oct 16, 2021.

  1. ShaneK1

    ShaneK1 Bit Poster

    Messages:
    2
    I know that I can run "prlctl list -a" to get the list of VM's and then run "prlctl internal UUID dbgdump --path ~/somepath to dump the memory of a VM. However is there a way to dump the memory from a snapshot without having to turn it back on? I see that in the Snapshots directory there is a file called {UID}.mem but this is not properly formatted to be utilized with a tool like Volatility. Well at least when I tried it it didn't work. If it's possible I would like to be able to perform memory forensics on a snapshot without having to turn it back on which could potentially stomp on any important artifacts.
     
  2. GampaA@Parallels

    GampaA@Parallels Staff Member

    Messages:
    183
  3. ShaneK1

    ShaneK1 Bit Poster

    Messages:
    2
    That article is not for "clearing" a memory dump. The article also doesn't address the question.

    Is it possible to dump the memory of a snapshotted vm "without having to revert to said snapshot and power it on", since there is already a mem file present. As I mentioned previously, the mem file that is present is not the same format as the one that is created with prlctl command.
     
  4. GampaA@Parallels

    GampaA@Parallels Staff Member

    Messages:
    183

Share This Page