Learn how to properly acquire memory from Microsoft Hyper-V guest virtual machines.
🎉 Update
After I recorded this episode, Ulf Frisk, the author of MemProcFS, let me know that he has made some updates that no longer require you to copy the vmsavedstatedumpprovider.dll file to the MemProcFS directory if the SDK is installed in the ***default*** location. If installed to a different location, the file must still be copied. Additionally, the requirement to prepend the Hyper-V checkpoint file with hvsavedstate:// has also been removed. Both changes now make this process even easier!
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 – Intro
00:43 – Preparation
06:35 – Using MemProcFS
🛠 Resources
MemProcFS:
MemProcFS Documentation:
Windows SDK:
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
[ad_2]
source
