VHD - forensically ...
 
Notifications
Clear all

VHD - forensically sound

DigiForentobe
(@digiforentobe)
New Member

Hey all, 

im very new to forensics, and in the learning process of things.

I have scenario, whereby I have a VHD ,and need to make it forensically sound...I have googled to best my ability, so can i assumed If I use FTK imager to create a copy of the VHD and then create an E01 from it, I can then use that E01 in either FTK or autospy. Trying to follow forensic guidelines of handling "evidence"

 

Thanks all

Quote
Topic starter Posted : 24/03/2021 1:10 pm
giandega
(@giandega)
Active Member

Check Autopsy. it should opne VHD

ReplyQuote
Posted : 25/03/2021 8:43 am
DigiForentobe
(@digiforentobe)
New Member

@giandega

firstly thank you for your reply.

Hi yeah, autopsy does open a VHD no issues, what im trying to do is make a copy of that VHD file using FTK or similar tool, and then use that copy to investigate instead of using the "original" vhd.

ReplyQuote
Topic starter Posted : 25/03/2021 10:55 am
giandega
(@giandega)
Active Member

you can do a snapshot?

ReplyQuote
Posted : 25/03/2021 2:38 pm
azrael
(@azrael)
Senior Member
Posted by: @digiforentobe

@giandega

what im trying to do is make a copy of that VHD file using FTK or similar tool, and then use that copy to investigate instead of using the "original" vhd.

I'm going to take a leap here and guess that what you are trying to do is get an E01 or RAW image to look at, rather than a VHD.

You're never going to be able to use a write blocker - 'cos there is no physical disk - so you might as well use a bootable imager - now you can do this a number of ways, but the way that I would do it is download a suitable bootable Linux distribution with a Forensic leaning, and then use this to create an image "across the network" to another Linux host with sufficient disk to take the image. 

The reason that I suggest this, is because I happened to do it yesterday ...

So I downloaded an up-to-date copy of KALI added the ISO as a virtual DVD drive and set the boot order of the VM to make the DVD the priority and disabled boot from the VHD. Then I booted the VM and set chose the "Forensic" option for KALI to boot with. Then I used the following command:

dd bs=16M if=/dev/sda | ssh [email protected] "dd bs=16M of=/home/azrael/disk.img"

 You'll obviously need to change username, machine name and destination path to something relevant to you.

I happened to do this from an existing VM, so it was bootable. I suspect that if you only have the VHD file, but you were to create a new VM and include the VHD as an "existing disk" that the same technique would work.

You've said that you're new to forensics - welcome 🙂 - always make a copy to work with, it's a joy of digital forensics that we can do this ad infinitum and get a good copy. Also - it would be worth taking a hash of the VHD before and after the above process - this way you can tell if it has been modified or not - it shouldn't be, but it would be worth verifying. ( It didn't matter in my scenario, so I haven't checked it ... )

ReplyQuote
Posted : 25/03/2021 4:26 pm
Passmark
(@passmark)
Active Member

Conversion sounds like a huge waste of time. Any conversion also runs the risk of messing things up.

Duplicate the VHD file, take a hash if you want, then just work on the VHD file directly. All the decent tools will open a VHD directly, as a read only file system.

Working with the source data is not "forensically unsound".

ReplyQuote
Posted : 26/03/2021 1:32 am
azrael
(@azrael)
Senior Member
Posted by: @passmark

Conversion sounds like a huge waste of time.

Aside from the fact that's what the OP wants to do ... Also, if you can't think of a scenario where this might be desirable I'd be surprised. I can think of two at least !

Posted by: @passmark

Any conversion also runs the risk of messing things up.

Don't disagree with this though, but you could mitigate through testing and verifying your results.

Posted by: @passmark

All the decent tools will open a VHD directly, as a read only file system.

And I think perhaps this is the crux of the matter - maybe the OP, as a beginner wishes to look at something as a raw disk, perhaps they're learning by writing a script and don't want the hassle of dealing with VHD containers, perhaps their - otherwise decent - special tool doesn't handle VHDs or perhaps they're using two different "decent" tools to look at VHDs and are getting different results from each (we've all seen that play out) and they want to verify from the raw data - or as close to it as they can get. 

The OP has already gratefully declined the idea of duplication of the VHD for whatever reasons they have - and I'm not convinced that my solution is the best one - can you improve on it ?

 

ReplyQuote
Posted : 26/03/2021 6:12 am
Passmark
(@passmark)
Active Member

I suspect OP is operating under the misapprehension that everything needs to be a E01 to be "sound".

ReplyQuote
Posted : 26/03/2021 6:32 am
azrael
(@azrael)
Senior Member
Posted by: @passmark

I suspect OP is operating under the misapprehension that everything needs to be a E01 to be "sound".

You may well be right ! Not sure that either of us explained to him why that's not actually the case though 😜 

Posted by: @digiforentobe

Trying to follow forensic guidelines of handling "evidence"

Ok OP, let's back up one here - @passmark has made a good point - I'm going to go back on the basis of UK guidance, rather than anything else (your location is down as UK, so this should be fine !) - if we take a look at the ACPO Guidelines for handling digital evidence we are interested in the first two principles:

Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Let's consider your VHD file here - if you take a copy of it then you are no longer "accessing the original data" - you can work with that copy in whatever way you like for as long as you want. Even if you wanted to load it into a VM and run it - it still isn't the original evidence - it does however alter the copy that you have, so you need to consider the "relevance and the
implications" of doing so. 

In looking at that copied VHD - especially if you are treating it in a "read-only" manner [as most tools will do, or can be configured to do - or under Linux, make the file RO etc.] - then there are no issues of breaching either principle. 

E01 is one of several "forensic file formats", but by no means is required for a "forensically sound process".

Posted by: @passmark

Duplicate the VHD file, take a hash if you want,

What I would say is that to prove the "forensically sound" bit of the methodology of taking a copy is that you should take a hash - of both the "original" and the "copy" and then you are assured that the two are identical in content. [ Remember hashing only looks at the contents of a file - not the metadata of a file - so the fact that it is a copy will have no impact. ] You can then check this hash periodically after operations that you do ( loading it into a tool and looking through it for example ) so you can identify if any of the things you do would have had an impact on the integrity of the file.

Also, there is 100% a better way of doing this to what I proposed anyway !

If you still want to convert a VHD to another format - try qemu-convert this will allow you to create a RAW image, and if you want to take a RAW image to an E01 that has been covered here before. 

And having said all of the above - it seems that the always excellent FTK imager will allow direct conversion of VHD to E01 too.

<sigh> Should have just started there. </sigh>

ReplyQuote
Posted : 26/03/2021 7:58 am
DigiForentobe
(@digiforentobe)
New Member

@azrael Thank you kindly for your response and your kind welcoming message, it is very appreciated

 

Also thank you for taking the time to provide that detailed explanation, I will copy and save it and use that method. 

ReplyQuote
Topic starter Posted : 26/03/2021 8:43 am
DigiForentobe
(@digiforentobe)
New Member

@passmark hi, thanks for the reply, unfortuantely been very new to this area , and still at the first steps of my learning, i may sound confused lol, but I always try my best to source the answer before asking on such forums.

but to answer your statement, I was under the impression that E01 was foreniscally sound, however after further research, i discovered any method can be "sound" .

This was more of an issue of how to preserve the original VHD, and basically make copies of it ( again something I only just understood over past day or so, still a long journey me thinks. 

ReplyQuote
Topic starter Posted : 26/03/2021 8:47 am
DigiForentobe
(@digiforentobe)
New Member

@azrael WOW OK! you have just answered what I was looking for! I didnt even ask this ( as I semi didnt know how to put across what I needed), but this is EXACTLY what i needed, im clearly a NOOB!

 

Thank you again very kindly, genuinely that has helped me a huge amount.

ReplyQuote
Topic starter Posted : 26/03/2021 8:50 am
jaclaz
(@jaclaz)
Community Legend

I will make the usual remark.

A "static" (not "dynamic") VHD (not a VHDX) is nothing but a "RAW" or "dd-like" image with appended a "CONECTIX" single sector.

There is nothing really-really to "convert" "from VHD", *any* tool that can read/access/capture/image a RAW image can also read/access/capture/image a VHD.

jaclaz

ReplyQuote
Posted : 26/03/2021 5:17 pm
Share: