We have a server-case with two files and didn't receive any further information from the hosting company:
1. raw image
2. memory dump (Volatility labeled it as 'QemuCoreDumpElf')
I can mount the raw image file and load it in forensic tools. I can see/browse the file/folder structure. No problems so far.
But we also would like to boot this machine.
Things I tried:
- convert raw to vmdk and boot in VMware >> can select the OS to boot but while loading the OS it hangs after ~10 seconds;
- mount the raw image and present it as physical to VMware >> No operating system found
- Since the memory dump hints this machine was orinally QEMU-based I tried to boot in by running : qemu-system-x86_64 img.raw >> kernel panic
Is anything I can try to successfully boot this image?
When it comes to booting up images acquired from target disk, VFC is the answer you need. First you could use FTK Imager or Arsenal Image Mounter to mount the image you have in hand and use VFC to create snapshots out of emulated physical disk. VFC could analyze and identify the OS info without fail. You won't miss it~
Virtualizing evidence was one of my favourite things to do. Determine what OS is used and whether it uses EFI or BIOS. Set up the VM accordingly. If the Windows account has a password, boot the VM with a live Linux distro and blank out the password using chntpw. Virtualizing images is very straight forward in most cases. Red flags are encryption, both FDE and FBE, active secure boot with TPM and MacOS.Â
