VHD - forensically ...
 
Notifications
Clear all

VHD - forensically sound

13 Posts
5 Users
9 Likes
3,672 Views
(@digiforentobe)
Posts: 7
Active Member
Topic starter
 

Hey all, 

im very new to forensics, and in the learning process of things.

I have scenario, whereby I have a VHD ,and need to make it forensically sound...I have googled to best my ability, so can i assumed If I use FTK imager to create a copy of the VHD and then create an E01 from it, I can then use that E01 in either FTK or autospy. Trying to follow forensic guidelines of handling "evidence"

 

Thanks all

 
Posted : 24/03/2021 1:10 pm
 dega
(@dega)
Posts: 261
Reputable Member
 

Check Autopsy. it should opne VHD

 
Posted : 25/03/2021 8:43 am
(@digiforentobe)
Posts: 7
Active Member
Topic starter
 

@giandega

firstly thank you for your reply.

Hi yeah, autopsy does open a VHD no issues, what im trying to do is make a copy of that VHD file using FTK or similar tool, and then use that copy to investigate instead of using the "original" vhd.

 
Posted : 25/03/2021 10:55 am
 dega
(@dega)
Posts: 261
Reputable Member
 

you can do a snapshot?

 
Posted : 25/03/2021 2:38 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 
Posted by: @digiforentobe

@giandega

what im trying to do is make a copy of that VHD file using FTK or similar tool, and then use that copy to investigate instead of using the "original" vhd.

I'm going to take a leap here and guess that what you are trying to do is get an E01 or RAW image to look at, rather than a VHD.

You're never going to be able to use a write blocker - 'cos there is no physical disk - so you might as well use a bootable imager - now you can do this a number of ways, but the way that I would do it is download a suitable bootable Linux distribution with a Forensic leaning, and then use this to create an image "across the network" to another Linux host with sufficient disk to take the image. 

The reason that I suggest this, is because I happened to do it yesterday ...

So I downloaded an up-to-date copy of KALI added the ISO as a virtual DVD drive and set the boot order of the VM to make the DVD the priority and disabled boot from the VHD. Then I booted the VM and set chose the "Forensic" option for KALI to boot with. Then I used the following command:

dd bs=16M if=/dev/sda | ssh azrael@remotemachine "dd bs=16M of=/home/azrael/disk.img"

 You'll obviously need to change username, machine name and destination path to something relevant to you.

I happened to do this from an existing VM, so it was bootable. I suspect that if you only have the VHD file, but you were to create a new VM and include the VHD as an "existing disk" that the same technique would work.

You've said that you're new to forensics - welcome 🙂 - always make a copy to work with, it's a joy of digital forensics that we can do this ad infinitum and get a good copy. Also - it would be worth taking a hash of the VHD before and after the above process - this way you can tell if it has been modified or not - it shouldn't be, but it would be worth verifying. ( It didn't matter in my scenario, so I haven't checked it ... )

 
Posted : 25/03/2021 4:26 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Conversion sounds like a huge waste of time. Any conversion also runs the risk of messing things up.

Duplicate the VHD file, take a hash if you want, then just work on the VHD file directly. All the decent tools will open a VHD directly, as a read only file system.

Working with the source data is not "forensically unsound".

 
Posted : 26/03/2021 1:32 am
azrael
(@azrael)
Posts: 656
Honorable Member
 
Posted by: @passmark

Conversion sounds like a huge waste of time.

Aside from the fact that's what the OP wants to do ... Also, if you can't think of a scenario where this might be desirable I'd be surprised. I can think of two at least !

Posted by: @passmark

Any conversion also runs the risk of messing things up.

Don't disagree with this though, but you could mitigate through testing and verifying your results.

Posted by: @passmark

All the decent tools will open a VHD directly, as a read only file system.

And I think perhaps this is the crux of the matter - maybe the OP, as a beginner wishes to look at something as a raw disk, perhaps they're learning by writing a script and don't want the hassle of dealing with VHD containers, perhaps their - otherwise decent - special tool doesn't handle VHDs or perhaps they're using two different "decent" tools to look at VHDs and are getting different results from each (we've all seen that play out) and they want to verify from the raw data - or as close to it as they can get. 

The OP has already gratefully declined the idea of duplication of the VHD for whatever reasons they have - and I'm not convinced that my solution is the best one - can you improve on it ?

 

 
Posted : 26/03/2021 6:12 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

I suspect OP is operating under the misapprehension that everything needs to be a E01 to be "sound".

 
Posted : 26/03/2021 6:32 am
azrael
(@azrael)
Posts: 656
Honorable Member
 
Posted by: @passmark

I suspect OP is operating under the misapprehension that everything needs to be a E01 to be "sound".

You may well be right ! Not sure that either of us explained to him why that's not actually the case though 😜 

Posted by: @digiforentobe

Trying to follow forensic guidelines of handling "evidence"

Ok OP, let's back up one here - @passmark has made a good point - I'm going to go back on the basis of UK guidance, rather than anything else (your location is down as UK, so this should be fine !) - if we take a look at the ACPO Guidelines for handling digital evidence we are interested in the first two principles:

Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Let's consider your VHD file here - if you take a copy of it then you are no longer "accessing the original data" - you can work with that copy in whatever way you like for as long as you want. Even if you wanted to load it into a VM and run it - it still isn't the original evidence - it does however alter the copy that you have, so you need to consider the "relevance and the
implications" of doing so. 

In looking at that copied VHD - especially if you are treating it in a "read-only" manner [as most tools will do, or can be configured to do - or under Linux, make the file RO etc.] - then there are no issues of breaching either principle. 

E01 is one of several "forensic file formats", but by no means is required for a "forensically sound process".

Posted by: @passmark

Duplicate the VHD file, take a hash if you want,

What I would say is that to prove the "forensically sound" bit of the methodology of taking a copy is that you should take a hash - of both the "original" and the "copy" and then you are assured that the two are identical in content. [ Remember hashing only looks at the contents of a file - not the metadata of a file - so the fact that it is a copy will have no impact. ] You can then check this hash periodically after operations that you do ( loading it into a tool and looking through it for example ) so you can identify if any of the things you do would have had an impact on the integrity of the file.

Also, there is 100% a better way of doing this to what I proposed anyway !

If you still want to convert a VHD to another format - try qemu-convert this will allow you to create a RAW image, and if you want to take a RAW image to an E01 that has been covered here before. 

And having said all of the above - it seems that the always excellent FTK imager will allow direct conversion of VHD to E01 too.

<sigh> Should have just started there. </sigh>

 
Posted : 26/03/2021 7:58 am
(@digiforentobe)
Posts: 7
Active Member
Topic starter
 

@azrael Thank you kindly for your response and your kind welcoming message, it is very appreciated

 

Also thank you for taking the time to provide that detailed explanation, I will copy and save it and use that method. 

 
Posted : 26/03/2021 8:43 am
Page 1 / 2
Share: