Join Us!

Notifications
Clear all

VM Ware  

  RSS
debaser_
(@debaser_)
Active Member

Does anyone use VMware in any part of the investigations? I use windows for my day to day tasks and hate to reboot to use a live cd or my debian install. I have decided just to create a virtual debian install under which to run TSK. Just wondering if anyone else goes for this approach.

Quote
Posted : 23/01/2006 11:06 pm
keydet89
(@keydet89)
Community Legend

To answer your first question, I use VMWare all the time. I have XP Home as my base system, and VM images for XP Pro, 2K, and 2K3. It's great for testing, imaging, etc.

Harlan

ReplyQuote
Posted : 24/01/2006 12:01 am
Andy
 Andy
(@andy)
Active Member

Same here, IMHO VMWare is a must have for Forensic Computing. I have a library of guest OS's to work and play with. I like the 'Team' feature, where you can create virtual networks. Great for testing system settings and experiments.

Andy

ReplyQuote
Posted : 24/01/2006 1:13 am
bshavers
(@bshavers)
Active Member

I also use VMWare for restoration of images for several reasons.
1) When I don't have the software to view certain files from the suspect machine, I restore the image and view them that way;
2) To show to court, lawyers, or investigators what the suspect machine looked like when running (with video and screen captures as well). Jurors will more easily understand explanations of how programs are set to run automatically (as an example) when they can see it happening real time, just like their computer at home;
3) When a restoration is not possible on the suspect machine, and/or I expect lots of hardware issues on a different machine for restoration, I'll do it in VMWare instead of a real machine as VMWare takes care of many restoration issues.
4) To prove/disprove allegations that the computer has a 'ghost/virus' in it when the evidence was downloaded/copied/printed, etc… by running the programs real time.The use of VMWare is endless for forensics.

ReplyQuote
Posted : 28/01/2006 4:36 am
keydet89
(@keydet89)
Community Legend

Brett,

> Jurors will more easily understand

Thanks for bringing up this extremely important side of forensic analysis and presentation. In many cases, this is what it comes down to…does a jury understand?

Harlan

ReplyQuote
Posted : 28/01/2006 5:14 pm
debaser_
(@debaser_)
Active Member
I also use VMWare for restoration of images for several reasons.
1) When I don't have the software to view certain files from the suspect machine, I restore the image and view them that way;
2) To show to court, lawyers, or investigators what the suspect machine looked like when running (with video and screen captures as well). Jurors will more easily understand explanations of how programs are set to run automatically (as an example) when they can see it happening real time, just like their computer at home;
3) When a restoration is not possible on the suspect machine, and/or I expect lots of hardware issues on a different machine for restoration, I'll do it in VMWare instead of a real machine as VMWare takes care of many restoration issues.
4) To prove/disprove allegations that the computer has a 'ghost/virus' in it when the evidence was downloaded/copied/printed, etc… by running the programs real time.The use of VMWare is endless for
forensics.

You have a machine up and running in the court room ? Or you have a video demonstration that you show them? Either way still a good idea. Its little things like this that bring a human element into the mix, and i like that. Things get too dry and boring when its all bits and bytes.

ReplyQuote
Posted : 28/01/2006 8:11 pm
bshavers
(@bshavers)
Active Member

Best is to practice before court to make the best video. Bring the recorded video in case the real-time suspect drive does what technology usually does (malfunction at the most important times…) so that can be shown as a back up. Also, when I am demonstrating a restored suspect drive with VMWare, I capture it as a video at the same time (VMWare can do that for it), and leave that video file to the attorney/detective/etc… for their reference.

Another nice feature is the ability to create 'snapshots' in time, in order to always be able to start from the freshly restored drive without having to restore from the beginning.

Ok, another nice feature I have found to be beneficial (and cheap), is using the free VM Player. The general detectives in my agency have the ability to view restored drives given to them by examiners which they can view on their desktop. No need to purchase the full versions when the detectives can benefit viewing the machines.

Just can't say enough about VMWare.

ReplyQuote
Posted : 29/01/2006 11:29 am
bjgleas
(@bjgleas)
Active Member

I agree, and also think that the vmware player is a terrific tool, for both investigations and training. It has really cut down on our expenses.

bj

ReplyQuote
Posted : 29/01/2006 1:32 pm
JimmyW
(@jimmyw)
Member

The general detectives in my agency have the ability to view restored drives given to them by examiners which they can view on their desktop. No need to purchase the full versions when the detectives can benefit viewing the machines.

This, as well as your other comments, are quite worthwhile. I usually create VMs from the image file instead of restoring a drive. That way, you can create a VM, put it on your server, and allow other officers to run the VM with Player.

ReplyQuote
Posted : 01/02/2006 7:42 am
bjt3
 bjt3
(@bjt3)
New Member

Hi all, I'm a new member. Can anyone tell me will a malware or virus executed in the guest OS of a VM infect the host OS?

I just installed VMware 5.5 with Win XP Pro as host OS and Linux as guest OS. How should I setup the machine for malware autopsy?

Thanks

bjt3

ReplyQuote
Posted : 13/03/2006 6:57 am
bjgleas
(@bjgleas)
Active Member

If the vmware guest has networking enabled, then use, a live malware can get out of the virtual system into the host and if the host is connected, out inot the real world (your milage may vary - it also depends on the attack vector of the malware, etc). Malware should only be used/tested/played with on isolated systems - just ask Robert Morris Jr.

Be careful in there…

bj

ReplyQuote
Posted : 13/03/2006 10:38 am
dd85
 dd85
(@dd85)
New Member

hello ,

is it possible to have 2 virtual disk in the same virtual machine ( ex C D )
C (win .. ) and D without OS , -like on the real PC. i am testing vmware 5.5 workstation and i can not find the command /tips /tool to do that.

i check diskmanager ,Bios , but i does not work ;or i am not doing the right things

any kind of Help will be appreciated.

A+

ReplyQuote
Posted : 04/05/2006 8:27 pm
debaser_
(@debaser_)
Active Member

hello ,

is it possible to have 2 virtual disk in the same virtual machine ( ex C D )
C (win .. ) and D without OS , -like on the real PC. i am testing vmware 5.5 workstation and i can not find the command /tips /tool to do that.

i check diskmanager ,Bios , but i does not work ;or i am not doing the right things

any kind of Help will be appreciated.

A+

I am sure it is possible. Just use the partitioning utilities inside of your windows install to repartition the virtual drivespace.

To be more specific. Imagine the 10 gigs you set aside for the virtual machine as a real physical disk. That is how the OS is going to see it. Just have 2 separate partitions. Hopefully this is what you are looking for.

As far as tricking it into thinking they are two different physical objects i am not sure.

ReplyQuote
Posted : 04/05/2006 9:05 pm
dd85
 dd85
(@dd85)
New Member

thank for the response

to be more accurate i want to setup 2 different virtualdisk C and D in a same virtual machine

ReplyQuote
Posted : 05/05/2006 2:13 am
bjgleas
(@bjgleas)
Active Member

i want to setup 2 different virtualdisk C and D in a same virtual machine

You can do it… select VM / Setting, this will display the setting for the current virtual machine. Then click add to start the add hardware wizard, and add a new hard drive.

bj

ReplyQuote
Posted : 05/05/2006 6:25 am
Share: