Forensic analysis of a ransomware attack

My doubt is, if I open the vmdk file with ftk imager, is there a risk that the real system may become infected with the opening?
The ransomware process is activated at every startup.

Not really-really, more exactly the ransomware is activated at every startup of the instance of the OS that was infected.

So the question becomes
Does opening the vmdk file with ftk imager cause the booting (startup) of the OS in the image?
Or - alternatively - will it cause the execution of the ransomware executable or script?

jaclaz

My doubt is, if I open the vmdk file with ftk imager, is there a risk that the real system may become infected with the opening?
The ransomware process is activated at every startup.

Not really-really, more exactly the ransomware is activated at every startup of the instance of the OS that was infected.

So the question becomes
Does opening the vmdk file with ftk imager cause the booting (startup) of the OS in the image?
Or - alternatively - will it cause the execution of the ransomware executable or script?

jaclaz

Exactly.
Then?

Exactly.
Then?

Then?
Now the ball is in your court
https://www.dictionary.com/browse/ball-s-in-your-court--the

Is it conceivable that an OS inside an image that can be booted through the use of a complex mechanism called Virtual Machine - which includes among other mechanisms virtualized hardware and BIOS - can also be booted by FTK imager by only opening the image?

If yes, then there would be no need of a VM at all.
If no, then you are probably safe.

As - BTW - You have already been told twice

https://www.forensicfocus.com/Forums/viewtopic/p=6599932/#6599932

More specifically with ransomware, as long as you do not execute any of the executable (or scripts, etc.) on the "infected" machine you are safe, still some caution is needed for the settings of the forensic machine, only as an example autoplay should be disabled, i.e. the OS should be either "throwaway" (or "volatile", like a PE or an OS in a ramdisk) or "hardened", see also

https://www.forensicfocus.com/Forums/viewtopic/t=13232/

https://www.forensicfocus.com/Forums/viewtopic/p=6599936/#6599936

Anyway FTK can "convert" a .vmdk to dd/RAW just fine
https://www.youtube.com/watch?v=gIZuuq9lswA

No, no risks in the "conversion".

Still, how exactly will you run KaliLinux?

Choose one
1) on a "real machine"
2) inside a "virtual machine" (let's say VirtualBox)

If #1 you won't have any risk as presumably the ransomware, having been designed for Windows NT system won't work on Linux.
If #2 you won't have any risk as presumably the ransomware, having been designed for Windows NT systems won't work on Linux AND presumably what happens inside a VM stays inside the VM.

So the weakest link in the chain is running in a non-volatile, non-hardened Windows NT system the FTK imager.

Now, what uses do you have for FTK imager?
Only "converting" (which likely it is not actually necessary) of the .vmdk to RAW?
Then why you don't do the "conversion" under KaliLinux (or another Linux instance)?

https://docs.openstack.org/image-guide/convert-images.html
https://www.hackingarticles.in/convert-virtual-machine-raw-images-forensics-qemu-img/

jaclaz

Convert the file from vmdk to raw.

That's easy enough to do…open the .vmdk file in FTK Imager, then export an image in raw format. Boom. Done.

Convert the file from vmdk to raw.

That's easy enough to do…open the .vmdk file in FTK Imager, then export an image in raw format. Boom. Done.

Yep, a link to a video has been already posted and - AGAIN - it is possible that the .vmdk file is ALREADY a RAW image+a descriptor file, it has to be checked, AND (next time) it would be advisable to expressly create the image as "monolithic flat" .vmdk, so that NO conversion will be needed.

jaclaz