Description

1) This tool has been used back in 2014 for a CTF Challenge ASIS-QUALS-2014

2) I found this tool to be interesting and decided to save it here in my GitHub repository. I am not sure who the original author of the tool is, but I wanted to preserve it for future reference and potentially contribute to its development..

3) Also you must know that this tool use liblzf library.

LZF is an extremely fast (not that much slower than a pure memcpy)
compression algorithm. It is ideal for applications where you want to
save *some* space but not at the cost of speed. It is ideal for
repetitive data as well. The module is self-contained and very small.

Usage

Before we can use the tool, we need to clone or download it to our local machine.

git clone https://github.com/ab2pentest/VirtualBox_SavedState_Parser

After that we will need to compile it.

gcc parsevbox.c lzf_d.c -o parsevbox
gcc extract_screenshot.c -o extract_screenshot

Once we have compiled both files, we can run the tool by following these steps:

./parsevbox date_savedstateimage.sav

The process of running the tool may take several minutes, as it decompresses the .sav file and generates additional files that may be useful for forensic analysis.

Great ! Now that the tool has finished running, we can examine the output files to see what they contain.

To extract the screenshot from the output, we can follow these steps:

1) Locate the file *.sav-DisplayScreenshot.out in the output directory and rename it to vbox.img-DisplayScreenshot.out. 2) Run the extract_screenshot tool. This will generate three files: out.png, out.raw, and out.ppm.

These files should contain the screenshot data, which we can view or analyze as needed.

mv *.sav-DisplayScreenshot.out vbox.img-DisplayScreenshot.out
./extract_screenshot

We can now preview the out.png image file to see the screenshot.

Links

Original tool link: https://www.dropbox.com/sh/vtsk0ji7pqhje42/AABY57lRqinlwZpo8t9zzGYka

Original tool writeup (in Turkish): ASIS-QUALS-2014