Booting an image as aforensically-sound VM inVirtualBoxBrent Muir
Virtual Machine: Forensics Forensically-sound means that all steps are repeatable &  source data is not modified VM allo...
VirtualBox All Open Source / freeware tools:   VirtualBox (v 4.2x)   FTK Imager (v 3.x)   Nordahl-Hagen NT Password Re...
STEP 1MOUNTING YOUR IMAGE Using FTK Imager mount your suspect’s image as a physical  disk (note which physical disk numbe...
STEP 2CREATE & MODIFY A VM To use VirtualBox you must create a blank .VMDK   Open CMD and navigate to the VirtualBox pro...
STEP 2CREATE & MODIFY A VM Once the VMDK file has been created open VirtualBox and  create a new VM based on the suspect’...
STEP 2CREATE & MODIFY A VM Point to the newly created VMDK as the virtual HD
STEP 2CREATE & MODIFY A VM Remove the NIC
STEP 2CREATE & MODIFY A VM Close the Settings window Click on “Start” and straight away in the VM console window  click ...
STEP 2CREATE & MODIFY A VM Go back into settings and highlight the Storage options Remove the newly created VMDK file as...
STEP 3BLANKING SAM PASSWORDS In Settings menu add the NORDAHL-HAGEN boot ISO as a  CD image
STEP 3BLANKING SAM PASSWORDS Start the VM Choose to boot from CD Follow the command prompts to blank the desired  passw...
STEP 4BOOTING YOUR VM You should now be able to boot the image as a VM Ensure that you still have the image mounted unde...
OpenGates Windows OSes often complain about hardware and system  changes in relation to licensing/activation        can ...
REFERENCES Nordahl-Hagen NT Password Reset Boot CD -  http://pogostick.net/~pnh/ntpasswd/ NTPWEDIT - http://cdslow.webho...
Upcoming SlideShare
Loading in …5
×

Booting an image as a forensically sound vm in virtual box

5,505 views

Published on

Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,505
On SlideShare
0
From Embeds
0
Number of Embeds
35
Actions
Shares
0
Downloads
98
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Booting an image as a forensically sound vm in virtual box

  1. 1. Booting an image as aforensically-sound VM inVirtualBoxBrent Muir
  2. 2. Virtual Machine: Forensics Forensically-sound means that all steps are repeatable & source data is not modified VM allows for dynamic forensic analysis (e.g. some password recovery, NirSoft tools can be used) VM can be used to show exactly what the user saw This method is based on the research by Jimmy Weg (http://justaskweg.com)
  3. 3. VirtualBox All Open Source / freeware tools:  VirtualBox (v 4.2x)  FTK Imager (v 3.x)  Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM passwords)  OpenGates (for hardware/driver issues)
  4. 4. STEP 1MOUNTING YOUR IMAGE Using FTK Imager mount your suspect’s image as a physical disk (note which physical disk number it is allocated)
  5. 5. STEP 2CREATE & MODIFY A VM To use VirtualBox you must create a blank .VMDK  Open CMD and navigate to the VirtualBox program folder (C:Program FilesOracleVirtualBox)  Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image:VBoxManage internalcommands createrawvmdk -filename“path_to_wherever_you_want_to_store.vmdk" -rawdisk.PhysicalDriveXX – being the physical drive number of the mounted image
  6. 6. STEP 2CREATE & MODIFY A VM Once the VMDK file has been created open VirtualBox and create a new VM based on the suspect’s machine  Choose the same OS that was installed on the suspect’s machine
  7. 7. STEP 2CREATE & MODIFY A VM Point to the newly created VMDK as the virtual HD
  8. 8. STEP 2CREATE & MODIFY A VM Remove the NIC
  9. 9. STEP 2CREATE & MODIFY A VM Close the Settings window Click on “Start” and straight away in the VM console window click on Machine  Take Snapshot Power off the VM (it won’t boot properly anyway as the physical drive is write-blocked)
  10. 10. STEP 2CREATE & MODIFY A VM Go back into settings and highlight the Storage options Remove the newly created VMDK file as the option and add the snapshot VMDK file instead (C:Usersuser_accountVirtualBox VMs...Snapshots)
  11. 11. STEP 3BLANKING SAM PASSWORDS In Settings menu add the NORDAHL-HAGEN boot ISO as a CD image
  12. 12. STEP 3BLANKING SAM PASSWORDS Start the VM Choose to boot from CD Follow the command prompts to blank the desired password/s and reboot the VM
  13. 13. STEP 4BOOTING YOUR VM You should now be able to boot the image as a VM Ensure that you still have the image mounted under FTK Imager as the same Physical Disk number Essentially what you have done is created a VMDK reference file which points to the Physical Disk and blanked the SAM passwords from the HD (or in this case the snapshot of the system OS)
  14. 14. OpenGates Windows OSes often complain about hardware and system changes in relation to licensing/activation  can result in an inaccessible VM OpenGates allows you to:  Patch the registry in order to enable legacy IDE drivers  Remove drivers that could conflict with the new hardware  Determine used HAL If you encounter this issue start VM with OpenGates ISO as first boot option and follow the prompts
  15. 15. REFERENCES Nordahl-Hagen NT Password Reset Boot CD - http://pogostick.net/~pnh/ntpasswd/ NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/ OpenGates - https://www.pinguin.lu/index.php VirtualBox - http://www.virtualbox.org Weg, J. http://justaskweg.com/

×