Forums
Main Category
General (Technical,...
Hyper-V forensics
 
Notifications
Clear all

Hyper-V forensics

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by kbertens 12 years ago
3 Posts
2 Users
0 Reactions
1,132 Views
RSS
 kbertens
(@kbertens)
Trusted Member
Joined: 13 years ago
Posts: 88
Topic starter 25/11/2013 3:34 pm  

Hi,
Just got a questions about forensics of virtual harddisks.
I've got an image of a Server 2008 R2.
There are a couple of vhd and avhd files on this server. Each 'set' contains 1 vhd and a couple of avhd files, the vhd is always the oldest file (last written).
It looks like the changes are written to the avhd file. Encase support vhd files but not avhd files and a simple rename didn't solve the problem.
What are the best practices to merge the avhd and vhd files or some other way to investigate these virtual harddisks.


   
Quote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
25/11/2013 4:03 pm  

I fired a Google search, and the first two results have the instructions on merging the two files.

https://social.technet.microsoft.com/wiki/contents/articles/6257.manually-merge-avhd-to-vhd-in-hyper-v.aspx
and
http//social.technet.microsoft.com/Forums/windowsserver/en-US/1b6ae278-92cc-4517-918d-71b0d96a77f8/merge-avhd-and-vhd-files-offline

More information https://www.google.de/search?q=merge+the+avhd+and+vhd+files


   
ReplyQuote
 kbertens
(@kbertens)
Trusted Member
Joined: 13 years ago
Posts: 88
Topic starter 25/11/2013 4:18 pm  

Of course I found that too.
But now the forensic part….
Each snapshot (avhd file) could contain evidence that isn't available in a newer snapshot.

How to identity which snapshots belong to each other, like
Take 2 snapshot A and B.
Take a snapshot from A, call it AA
Take a snapshot from B, call it BB.
Snapshot AA belongs to Branch A and not to Branch B.
Curious if some1 made a paper/blog post about this topic. D


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: