±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36096
New Yesterday: 7 Visitors: 116

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Odd question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

MrNereus
Newbie
 

Odd question

Post Posted: Mar 13, 16 21:25

I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment. I'm having difficulties finding information around forensic analysis of bootable environments. I'm only finding information around bootable forensic environments.
Would you happened to know of any resources that could help me?  
 
  

jaclaz
Senior Member
 

Re: Odd question

Post Posted: Mar 14, 16 01:30

- MrNereus
I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment. I'm having difficulties finding information around forensic analysis of bootable environments. I'm only finding information around bootable forensic environments.
Would you happened to know of any resources that could help me?

The usual steps are:
1) find the bootable environment
2) use forensic tools on it
3) profit

Now, the difficult part is #1, seriously, if the suspect used a LiveCD or other "RAM only" environment or a USB stick that wasn't found/seized (and he/she did it "properly") you won't really find *anything* on the internal hard disk/mass storage device.
And - even if you actually find this "bootable environment" - it may be tough to prove that it has been actually used and when.

After all, a forensic bootable environment is something that is designed to NOT leave traces on the internal hard disk/mass storage device but - due to its characteristics - can well be used as an anti-forensics environment, as an example a WinFE is a "normal" PE with a few specific Registry settings that can be used to carry on "normal" computer activities on a daily basis, but in a "volatile" mode.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: Odd question

Post Posted: Mar 14, 16 20:19

i'm having a bit of trouble following what you're attempting to do...

- MrNereus
I'm writing a twenty-page paper on virtual forensics and the absence of the virtual hard disk file; What data to look for to continue an investigation if the user destroyed the virtual image, or used a bootable environment.


Okay, here's where I'm having difficulty...what, exactly, are you trying to determine? The use of a virtual image (.vmdk, .vhd), or of a bootable environment (presumably something akin to a bootable CD)? Or are you simply using the terminology to refer to the same thing...a .vmdk or .vhd?

- MrNereus
I'm having difficulties finding information around forensic analysis of bootable environments.


This may be because it's already been covered in detail.

Let's look at an example...say, you're looking specifically at a Windows environment, and you want to know if a user booted their Windows system, logged in, and launched a .vhd. At that point, the .vhd is likely itself a Windows environment, so there's no difference in analyzing this environment; it's just a Windows system in a different "container".

The same thing is true if what you're looking at is a .vmdk file (launched via VMWare or Virtual Box).

If the virtual environment that was booted is destroyed, it's no different from "destroying" the hard drive of a bare metal "environment".  
 

Page 1 of 1