what i'm trying to ascertain is that the process in which i currently view a suspects machine in a vm environment is a correct method, as i'm having to try a lot of things out for myself.
so by creating dd files in ftk imager and then using live view to load these files in vmware server console and then add a floppy didk drive so that i can ahem fix xp to work properly is ok??
Do you ever use microsoft virtual pc etc for doing this?? If not what do you use it for?
thanks
This is an interesting area, as you can't really make use of the VM as evidence, it is solely to allow you to get a view of the suspect machine in a similar way to the way it was in use.
I stress similar because the screen will be different, the disk will be altered as soon as you boot, because you will find the process easier if you install VMWare tools, because the network connections will be different etc. etc. etc. This means that you can only get an impression of it's use, even icons won't necessarily be in the same places on the desktop, as the screen resolution determines these things. So all evidence found on the VM will have to be verified & discovered in another tool. Because of this fact, how you do it is largely up to you. I know someone who is of the opinion that it is only worth taking the live file set using Ghost and assorted contortions of virtual disks, as it is a much faster process than restoring a DD image. I personally restore a full DD image, and then use the VM to run bootable CD tools against it, as this is as close to examining the actual disk as I can get. I also make snapshots and play with the image, this can be useful to restore deleted partions and the like … As well as booting it to get a look, and then restoring back to a known point each time I re-load.
I use both VMWare on Windows and Parallels on MacOS X, I have used MS Virtual PC, and I think that it is the spawn of the Devil …
( Having said that, at the time I was using it, I was undertaking a project that involved simulating an MS Network, it ran 10 assorted images varying from Win2k3 through XP to Vista, and it wasn't a complete dog … )
Totally agree i'm only really interested in VM as i want to get a feel for the system and find it helps me visualize the case better.
Do you now of anywhere which has guides for VM??
Thanks for your help with this matter azrael, i'm new to the whole forensic scene and am still trying to find my feet. D
Try http//www.forensicfocus.com/vmware-forensic-tool 😉
I also know that a talk was given recently to members of F3, if you are eligable to join, the slides are available to download from the F3 website. It was an excellent talk, I would thoroughly recommend joining for that alone if you are into that sort of thing …
http//
Other than that - the VMWare FAQs on their website cover a multitude of really useful details on dealing with migrated images, Bios diferences, emulation of certain hardware etc.
I've heard it said that the latest versions of VMWare aren't the best for Forensic work, but I must admit that I wasn't listening, because I have a current licence !
Parallels is very good as well, and has, as an aside, excellent emulation of the Direct X stuff that makes playing Windows games on a Mac possible & tolerable -D
Cheers for that i'll check it out D
If you have the origional code from the sticker on the machine, MS will activate if you explain that you are doing an investigation. I have called MS numerous times and never had an issue.
ah thats good to know i'll give that a shot cheers
You can also restore your image and then create a VM from there. I've seen a few hacks for the activation online. I think you can replace a couple of files and you are on your way. I've also heard of Microsoft providing an activation key when called and told about the forensic investigation. I actually ran into this last week. When I went to activate over the phone I was told it wasn't a genuine product. I didn't need to go any further and try to crack the activation. Finding out it wasn't genuine put the nail in the coffin for my case.
Called microsoft yesterday and explained to the situation to them and got the activation code, good to see that they are on our side D
If you are going to be using virtual machines a lot for your examinations then I can highly recommend a program called VFC. used it for the last 6 months or so and have never had a failure to boot.