±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 3
New Yesterday: 8
Overall: 26811
Visitors: 124

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

VirtualBox images in Internet Evidence Finder (IEF)?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

VirtualBox images in Internet Evidence Finder (IEF)?

Post Posted: Fri Nov 16, 2012 6:48 am

I have several VirtualBox .img-files that I would like to analyze with Internet Evidence Finder (IEF) 5.6.6. Unfortunately IEF refuses to import them claiming they are not possible to mount due to "missing segments". I can mount them both in Linux and in FTK Imager without any problems though.

Have anyone else encountered this problem, and is there a workaround?

Perhaps I should also mention that the images have been created for validation purposes so the workaround may involve changes to the process for creating them.


Best Regards,

/J  

Jofre
Newbie
 
 
  

Re: VirtualBox images in Internet Evidence Finder (IEF)?

Post Posted: Fri Nov 16, 2012 7:01 am

Try mounting the VirtualBox .img files in FTK Imager as a physical disk and then point IEF to that disk.

Alternatively, you could you use the command-line version of VirtualBox to convert the .img file into a dd for IEF to analyse:

./VBoxManage clonehd <uuid> or <filename> <outputfile> --format RAW  

chrism
Senior Member
 
 
  

Re: VirtualBox images in Internet Evidence Finder (IEF)?

Post Posted: Fri Nov 16, 2012 9:49 am

Thank you for your answer Chrism.

I have tried both your suggestions.
Mounting the image file through FTK Imager works, but only allows for Sector Level searches in IEF. Better than nothing though.

When I tried the VirtualBox CLI command on the .img file I received an error about "unrecognized format" and got no output file. Strange. It _is_ the .img file I should use in that command and not one of the other VirtualBox files? (The virtual machines were parked in Saved States when I copied the .img files)  

Jofre
Newbie
 
 
  

Re: VirtualBox images in Internet Evidence Finder (IEF)?

Post Posted: Fri Nov 16, 2012 10:18 am

Hi Jofre,

Please try updating to the latest version of IEF (v5.7) as I believe that will resolve this issue for you.

Also, can you advise how many partitions exist in this image, and which filesystem(s)?

Kind regards,
Jad  

MagnetForensics
Member
 
 
  

Re: VirtualBox images in Internet Evidence Finder (IEF)?

Post Posted: Mon Nov 19, 2012 6:31 am

Hello Jad,

I installed IEF 5.7 and now it accepts the VirtualBox images without any problems. Smile
My manager agreed to change the validation baseline to include version 5.7 instead of 5.6.6 so I'm in the process of analyzing the images now.

The images each contain four NTFS partitions.

Thank you for your answer!

Best Regards,

/J  

Jofre
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1