• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Booting an image as a forensically sound vm in virtual box
 

Booting an image as a forensically sound vm in virtual box

on

  • 2,615 views

Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)

Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)

Statistics

Views

Total Views
2,615
Views on SlideShare
2,610
Embed Views
5

Actions

Likes
0
Downloads
27
Comments
0

2 Embeds 5

http://www.docshut.com 3
https://twitter.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Booting an image as a forensically sound vm in virtual box Booting an image as a forensically sound vm in virtual box Presentation Transcript

    • Booting an image as aforensically-sound VM inVirtualBoxBrent Muir
    • Virtual Machine: Forensics Forensically-sound means that all steps are repeatable & source data is not modified VM allows for dynamic forensic analysis (e.g. some password recovery, NirSoft tools can be used) VM can be used to show exactly what the user saw This method is based on the research by Jimmy Weg (http://justaskweg.com)
    • VirtualBox All Open Source / freeware tools:  VirtualBox (v 4.2x)  FTK Imager (v 3.x)  Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM passwords)  OpenGates (for hardware/driver issues)
    • STEP 1MOUNTING YOUR IMAGE Using FTK Imager mount your suspect’s image as a physical disk (note which physical disk number it is allocated)
    • STEP 2CREATE & MODIFY A VM To use VirtualBox you must create a blank .VMDK  Open CMD and navigate to the VirtualBox program folder (C:Program FilesOracleVirtualBox)  Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image:VBoxManage internalcommands createrawvmdk -filename“path_to_wherever_you_want_to_store.vmdk" -rawdisk.PhysicalDriveXX – being the physical drive number of the mounted image
    • STEP 2CREATE & MODIFY A VM Once the VMDK file has been created open VirtualBox and create a new VM based on the suspect’s machine  Choose the same OS that was installed on the suspect’s machine
    • STEP 2CREATE & MODIFY A VM Point to the newly created VMDK as the virtual HD
    • STEP 2CREATE & MODIFY A VM Remove the NIC
    • STEP 2CREATE & MODIFY A VM Close the Settings window Click on “Start” and straight away in the VM console window click on Machine  Take Snapshot Power off the VM (it won’t boot properly anyway as the physical drive is write-blocked)
    • STEP 2CREATE & MODIFY A VM Go back into settings and highlight the Storage options Remove the newly created VMDK file as the option and add the snapshot VMDK file instead (C:Usersuser_accountVirtualBox VMs...Snapshots)
    • STEP 3BLANKING SAM PASSWORDS In Settings menu add the NORDAHL-HAGEN boot ISO as a CD image
    • STEP 3BLANKING SAM PASSWORDS Start the VM Choose to boot from CD Follow the command prompts to blank the desired password/s and reboot the VM
    • STEP 4BOOTING YOUR VM You should now be able to boot the image as a VM Ensure that you still have the image mounted under FTK Imager as the same Physical Disk number Essentially what you have done is created a VMDK reference file which points to the Physical Disk and blanked the SAM passwords from the HD (or in this case the snapshot of the system OS)
    • OpenGates Windows OSes often complain about hardware and system changes in relation to licensing/activation  can result in an inaccessible VM OpenGates allows you to:  Patch the registry in order to enable legacy IDE drivers  Remove drivers that could conflict with the new hardware  Determine used HAL If you encounter this issue start VM with OpenGates ISO as first boot option and follow the prompts
    • REFERENCES Nordahl-Hagen NT Password Reset Boot CD - http://pogostick.net/~pnh/ntpasswd/ NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/ OpenGates - https://www.pinguin.lu/index.php VirtualBox - http://www.virtualbox.org Weg, J. http://justaskweg.com/