Notifications

Clear all

Virtualization forensics: How it is different?

amilads · 2010-11-16T13:08:33Z

Any one can give some ideas about what are the major differences between Virtualization forensics(analysis) and traditional forensic investigation methods? According to you experience. Your comments on this article is very much appreciated. Thanks D

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by joachimm 15 years ago

13 Posts

4 Users

0 Reactions

756 Views

RSS

MDCR

(@mdcr)

Reputable Member

Joined: 15 years ago

Posts: 376

16/11/2010 10:27 pm

As i see it, there is nothing stopping people from doing both.

"Offline" forensics has its limits and if you want a memory dump of a process with (potential) unpacked mallicious code in it (which can be hard to get to or detect in offline mode) then live forensics is the way to go.

Some malware behaves differently in a virtual machine than in a real system, but you can clone a disk and fire it up in a similar (real) piece of hardware and "watch it spin".

This will probably change in time with virtualised systems becoming less known as a "forensic coder" tool-only and more widely adopted by everyone.

ReplyQuote

amilads

(@amilads)

Active Member

Joined: 15 years ago

Posts: 7

Topic starter 16/11/2010 10:31 pm

Ok thank you for you reply.
What about imaging a virtual disk(Virtualbox)? and Snapshots?
Do we have way(or tool) to read Virtualbox snapshot(.vdi) file and RAM file(.sav) file?

ReplyQuote

joachimm

(@joachimm)

Estimable Member

Joined: 17 years ago

Posts: 181

17/11/2010 2:13 pm

Do we have way(or tool) to read Virtualbox snapshot(.vdi) file

You can convert them to RAW. I'm not sure if it still works but
vditool COPYDD vbox-image.vdi vbox-image.raw

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
198 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed