There are tools like LiveView, raw2vmdk, or VirtualBox's built-in convertfromraw feature that allow you to convert raw images into suitable virtual hard disks that can be mounted in a virtual machine.
Would these converted virtual disks be exact duplicates of the images they were made from? Does anyone know if there are any studies/whitepapers on this matter?
I guess the simple way to determine this would be to take a hash of the image and see if it matches a hash of the converted virtual hard disk but studies done by a reputable source are always good to refer to when questioned about forensic procedures.
The question you need to be asking is not whether the hashes of 2 different formats match, but rather whether your results from using such a procedure are explainable and reproducible. Many times I've restored a hard drive, put it back into the original computer in place of the original HDD and used some software which we couldn't replicate in the lab to pull off data.
Did the hashes match afterwards? Absolutely not.
Was the procedure reproducible? Absolutely.
Was the procedure therefore forensically sound? Yes.
Because I kept the original unaltered, and my forensic image unaltered, I could push out a copy and repeat the procedure ad infinitum and achieve the same results. And that's what forensics is about.
Would these converted virtual disks be exact duplicates of the images they were made from? Does anyone know if there are any studies/whitepapers on this matter?
You better ask the tool makers. What claims do they make?
The raw2vmdk tool doesn't 'do' anything with the image you hand it, as far as I understand – it just builds the necessary VMWare scaffolding around it. If you hand it a .dd image, that image becomes the disk image, and you do not use it for anything else afterwards. So it's quite easy to hash. If you don't want the image to change, take a snapshot of it before you boot the machine.
LiveView does all that for you, and more.
I guess the simple way to determine this would be to take a hash of the image and see if it matches a hash of the converted virtual hard disk but studies done by a reputable source are always good to refer to when questioned about forensic procedures.
If you are questioned on forensic procedure, it won't do you any good to say that someone else says it works – all that matters is if you claim so. You really should be able to say that you verified it and that it worked.
Someone else reporting that it can be done it is just an indication that it might work for you, but certainly not a guarantee that you will be able to repeat it. (Arthur Koestler wrote an interesting biography – The Case of the Midwife Toad – of an Austrian zoologist who may have been too skilful he seems to have been able to breed some animals in his labs that noone else could. That doesn't do in a scientific context if you can't repeat the process and get the same results,you have not succeeded in verifying the claims. You don't want to be on the receiving end in that kind of situation. )
It's easy enough to test – just mount the converted drive to a specially created forensic virtual engine (Helix, or whatever else you prefer), and reacquire the converted drive. Then you should have both a hash or two to check, and, if they don't match, you should have a pre- and post-conversion image which you can compare to establish exactly what has changed.
You can use a .dd image directly in VMware using an appropriate (external) descriptor file.
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&p=6524785
beisdes .pln there are vmdk ones
http//
Virtual PC images are the actual .dd image with appended a single sector.
http//
http//
Qemu (optionally with Qemu Manager)
http//
accepts .dd RAW images directly.
Or you want to actually BOOT the image in a VM?
jaclaz
I used VirtualBox alot for myself so I did some testing using the VBoxManage convertfromraw feature.
I converted a raw image of an XP machine using
VBoxManage.exe convertfromraw physical_Vol_1_Image.001 converted_physical_Vol_1_Image.vdi
It turn out that the resulting VDI file was actually smaller than the raw image because the default disk variant created is a dynamic disk. In the end it didnt seem to matter but you can add –variant fixed to create a fixed size disk.
After that VDI was created I attached it to a virtual machine that was booting off an ISO of Backtrack4 RC1. I used backtrack because of its forensics mode that does not automount any disks or swap space.
I then did an md5sum of the original disk image and then another of the converted VDI that was attached at /dev/sdb/ and they matched.
root@bt~# mount -t vboxsf Shared /mnt/Shared/
root@bt~# cd /mnt/Shared/
root@bt/mnt/Shared# md5sum physical_Vol_1_Image.001
6011882b1e460a3b5edc529098e1f852 physical_Vol_1_Image.001
root@bt/mnt/Shared# md5sum /dev/sdb
6011882b1e460a3b5edc529098e1f852 /dev/sdb
@Patrick4n6- I understand your point that what is most important is that any forensics procedure be consistently repeatable, just like a scientific experiment. Since cryptographic hashes are seen as a generally acceptable way to verify whether or not the data read on one source matches the data read from another source, its nice to be able to demonstrate that hashes of evidence match to demonstrate evidence integrity in a manner that is pretty well established and generally accepted.