I know that I can run "prlctl list -a" to get the list of VM's and then run "prlctl internal UUID dbgdump --path ~/somepath to dump the memory of a VM. However is there a way to dump the memory from a snapshot without having to turn it back on? I see that in the Snapshots directory there is a file called {UID}.mem but this is not properly formatted to be utilized with a tool like Volatility. Well at least when I tried it it didn't work. If it's possible I would like to be able to perform memory forensics on a snapshot without having to turn it back on which could potentially stomp on any important artifacts.
Hello @ShaneK1, Please follow the KB article https://kb.parallels.com/en/123708 to clear the dump. Thanks, Parallels Team
That article is not for "clearing" a memory dump. The article also doesn't address the question. Is it possible to dump the memory of a snapshotted vm "without having to revert to said snapshot and power it on", since there is already a mem file present. As I mentioned previously, the mem file that is present is not the same format as the one that is created with prlctl command.
Hello @ShaneK1 , please follow the KB article https://kb.parallels.com/en/121323 to collect the dump memory om Vm. Thanks, Parallels Team.
Yes that is the first thing I stated in my original question. It only works on running VM's. So, in other words the answer is "no". It would be great if people actually read the questions before they provided an answer.