Hello
We have case where the investigations sends us the images of hard drives and asks all of the contents to be sent to them in an easily visible/opened way for them to look at themselves.
Ok that seems fine if you consider only common files like doc, jpg, mp4 etc. We can export all of the files and send them easily like they expect, however hard drives seem to have specifically developed software like accountancy, staff management etc, and we do know much about those software and we can only try to log in and browse through some menus, and we can only do it in a booted environment when we virtually boot the images. So we can see some contents but can not send them the contents in an easily opened way like they expect.
However we think it is better for them to see the contents as it is seen on the computer screen in real life and be able to browse through but they are not technically very good and they can not boot the images if we just sent them the images back. So we can not make sure how we should proceed.
So, do you think "we should export and send them the common file formats which we can be opened easily and say we can not send the contents of the specific software installed on hard drives in an easily opened way, and we invite them into the laboratory and let them look at the contents themselves in the booted environment.
Any recommendation?
In theory you could setup a VM and provide them with a "bootable environment", in practice - if doable at all in the specific case - it is well outside the scope of a digital forensic examination and to make and test one such VM might be a serious challenge, meaning hours of work to (from what you described) fulfill a "vague" wish.
Usually (but not always) specialized software such as accounting programs have provisions to avoid duplication/unauthorized use (such as hardware dongles, online check, machine signature verification, etc.) and they might well be impossible to be "fully" run in a VM.
If the stuff actually runs from the image in a "simple" VM (as an example QEMU) it is easy to create an automated package.
Just as an example MobaliveCD or MobaliveUSB are nice wrappers around QEMU, there is LiveView
http//liveview.sourceforge.net/
and similar, see
http//www.forensicfocus.com/Forums/viewtopic/t=12882/
but all in all using VirtualBox and VMUB
http//
is not that difficult.
A possibility (if allowed by budget) could be to load the stuff on a laptop and give 'em the pre-configured laptop.
Of course there are Commercial tools for this, but still they might hit the budget constraints.
jaclaz
Sorry oops , double post (a glitch in the Matrix, seemingly).
jaclaz