VirtualBox images i...
 
Notifications
Clear all

VirtualBox images in Internet Evidence Finder (IEF)?

5 Posts
3 Users
0 Likes
607 Views
Jofre
(@jofre)
Posts: 10
Active Member
Topic starter
 

I have several VirtualBox .img-files that I would like to analyze with Internet Evidence Finder (IEF) 5.6.6. Unfortunately IEF refuses to import them claiming they are not possible to mount due to "missing segments". I can mount them both in Linux and in FTK Imager without any problems though.

Have anyone else encountered this problem, and is there a workaround?

Perhaps I should also mention that the images have been created for validation purposes so the workaround may involve changes to the process for creating them.

Best Regards,

/J

 
Posted : 16/11/2012 4:48 pm
(@chrism)
Posts: 97
Trusted Member
 

Try mounting the VirtualBox .img files in FTK Imager as a physical disk and then point IEF to that disk.

Alternatively, you could you use the command-line version of VirtualBox to convert the .img file into a dd for IEF to analyse

./VBoxManage clonehd <uuid> or <filename> <outputfile> –format RAW

 
Posted : 16/11/2012 5:01 pm
Jofre
(@jofre)
Posts: 10
Active Member
Topic starter
 

Thank you for your answer Chrism.

I have tried both your suggestions.
Mounting the image file through FTK Imager works, but only allows for Sector Level searches in IEF. Better than nothing though.

When I tried the VirtualBox CLI command on the .img file I received an error about "unrecognized format" and got no output file. Strange. It _is_ the .img file I should use in that command and not one of the other VirtualBox files? (The virtual machines were parked in Saved States when I copied the .img files)

 
Posted : 16/11/2012 7:49 pm
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

Hi Jofre,

Please try updating to the latest version of IEF (v5.7) as I believe that will resolve this issue for you.

Also, can you advise how many partitions exist in this image, and which filesystem(s)?

Kind regards,
Jad

 
Posted : 16/11/2012 8:18 pm
Jofre
(@jofre)
Posts: 10
Active Member
Topic starter
 

Hello Jad,

I installed IEF 5.7 and now it accepts the VirtualBox images without any problems. -)
My manager agreed to change the validation baseline to include version 5.7 instead of 5.6.6 so I'm in the process of analyzing the images now.

The images each contain four NTFS partitions.

Thank you for your answer!

Best Regards,

/J

 
Posted : 19/11/2012 4:31 pm
Share: