SlideShare une entreprise Scribd logo

Booting an image as a forensically sound vm in virtual box

Brent Muir
Brent Muir

Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)

1  sur  15
Télécharger pour lire hors ligne
Booting an image as a forensically-sound VM in VirtualBox Brent Muir
Virtual Machine: Forensics  Forensically-sound means that all steps are repeatable & source data is not modified  VM allows for dynamic forensic analysis (e.g. some password recovery, NirSoft tools can be used)  VM can be used to show exactly what the user saw  This method is based on the research by Jimmy Weg (http://justaskweg.com)
VirtualBox  All Open Source / freeware tools:  VirtualBox (v 4.2x)  FTK Imager (v 3.x)  Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM passwords)  OpenGates (for hardware/driver issues)
STEP 1 MOUNTING YOUR IMAGE  Using FTK Imager mount your suspect’s image as a physical disk (note which physical disk number it is allocated)
STEP 2 CREATE & MODIFY A VM  To use VirtualBox you must create a blank .VMDK  Open CMD and navigate to the VirtualBox program folder (C:Program FilesOracleVirtualBox)  Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image: VBoxManage internalcommands createrawvmdk -filename “path_to_wherever_you_want_to_store.vmdk" -rawdisk .PhysicalDriveX X – being the physical drive number of the mounted image
STEP 2 CREATE & MODIFY A VM  Once the VMDK file has been created open VirtualBox and create a new VM based on the suspect’s machine  Choose the same OS that was installed on the suspect’s machine
STEP 2 CREATE & MODIFY A VM  Point to the newly created VMDK as the virtual HD
STEP 2 CREATE & MODIFY A VM  Remove the NIC
STEP 2 CREATE & MODIFY A VM  Close the Settings window  Click on “Start” and straight away in the VM console window click on Machine  Take Snapshot  Power off the VM (it won’t boot properly anyway as the physical drive is write-blocked)
STEP 2 CREATE & MODIFY A VM  Go back into settings and highlight the Storage options  Remove the newly created VMDK file as the option and add the snapshot VMDK file instead (C:Usersuser_accountVirtualBox VMs...Snapshots)
STEP 3 BLANKING SAM PASSWORDS  In Settings menu add the NORDAHL-HAGEN boot ISO as a CD image
STEP 3 BLANKING SAM PASSWORDS  Start the VM  Choose to boot from CD  Follow the command prompts to blank the desired password/s and reboot the VM
STEP 4 BOOTING YOUR VM  You should now be able to boot the image as a VM  Ensure that you still have the image mounted under FTK Imager as the same Physical Disk number  Essentially what you have done is created a VMDK reference file which points to the Physical Disk and blanked the SAM passwords from the HD (or in this case the snapshot of the system OS)
OpenGates  Windows OSes often complain about hardware and system changes in relation to licensing/activation  can result in an inaccessible VM  OpenGates allows you to:  Patch the registry in order to enable legacy IDE drivers  Remove drivers that could conflict with the new hardware  Determine used HAL  If you encounter this issue start VM with OpenGates ISO as first boot option and follow the prompts
REFERENCES  Nordahl-Hagen NT Password Reset Boot CD - http://pogostick.net/~pnh/ntpasswd/  NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/  OpenGates - https://www.pinguin.lu/index.php  VirtualBox - http://www.virtualbox.org  Weg, J. http://justaskweg.com/

Recommandé

How to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageHow to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageKrešimir Hausknecht
 
Lima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemLima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemIntaForensics
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7VCP Muthukrishna
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 

Recommandé

How to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageHow to boot a VM form a Forensic Image
How to boot a VM form a Forensic ImageKrešimir Hausknecht
 
Lima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemLima - Digital Forensic Case Management System
Lima - Digital Forensic Case Management SystemIntaForensics
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7VCP Muthukrishna
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
macOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightmacOS Vulnerabilities Hiding in Plain Sight
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Windows server2016 presentation
Windows server2016 presentation Windows server2016 presentation
Windows server2016 presentation ☁️Seyfallah Tagrerout☁ [MVP]
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Configurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100DConfigurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100DRaGaZoMe
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm
 
Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19marketingsyone
 
Commvault Presentation
Commvault PresentationCommvault Presentation
Commvault Presentationjassigene
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Esxi troubleshooting
Esxi troubleshootingEsxi troubleshooting
Esxi troubleshootingOvi Chis
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Serveur Zabbix
Serveur ZabbixServeur Zabbix
Serveur ZabbixDamien Morisseau
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Product Security
Product SecurityProduct Security
Product SecuritySteven Carlson
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Virtualbox
VirtualboxVirtualbox
VirtualboxAnthony Yuan , PMP
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 

Contenu connexe

Tendances

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Configurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100DConfigurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100DRaGaZoMe
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm
 
Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19marketingsyone
 
Commvault Presentation
Commvault PresentationCommvault Presentation
Commvault Presentationjassigene
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Esxi troubleshooting
Esxi troubleshootingEsxi troubleshooting
Esxi troubleshootingOvi Chis
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersFestGroup
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 

Tendances (20)

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Windows server2016 presentation
Windows server2016 presentation Windows server2016 presentation
Windows server2016 presentation
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Configurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100DConfigurando VPN IPSec FortiClient - FortiGate 100D
Configurando VPN IPSec FortiClient - FortiGate 100D
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0Alphorm.com Support de la formation Vmware Esxi 6.0
Alphorm.com Support de la formation Vmware Esxi 6.0
 
Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19Sergio Silva - CyberS3c - OSL19
Sergio Silva - CyberS3c - OSL19
 
Commvault Presentation
Commvault PresentationCommvault Presentation
Commvault Presentation
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Esxi troubleshooting
Esxi troubleshootingEsxi troubleshooting
Esxi troubleshooting
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Serveur Zabbix
Serveur ZabbixServeur Zabbix
Serveur Zabbix
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
JavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developersJavaFest. Nanne Baars. Web application security for developers
JavaFest. Nanne Baars. Web application security for developers
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Product Security
Product SecurityProduct Security
Product Security
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Virtualbox
VirtualboxVirtualbox
Virtualbox
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 

En vedette

Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013Brent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingPriyanka Aash
 

En vedette (9)

Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computing
 

Similaire à Booting an image as a forensically sound vm in virtual box

setting up v ms
setting up v ms setting up v ms
setting up v mschigio
 
Azure vm resizing the os disk
Azure vm resizing the os diskAzure vm resizing the os disk
Azure vm resizing the os diskMilorad Imbra
 
Dual boot with a vhd final
Dual boot with a vhd finalDual boot with a vhd final
Dual boot with a vhd finalOsimondo
 
12849144 how-to-install-a-cccam-server-on-windows
12849144 how-to-install-a-cccam-server-on-windows12849144 how-to-install-a-cccam-server-on-windows
12849144 how-to-install-a-cccam-server-on-windowsrajuy2r
 
Tech X Virtualization Tips
Tech X Virtualization TipsTech X Virtualization Tips
Tech X Virtualization TipsYoussef EL HADJ
 
Let’s talk virtualization
Let’s talk virtualizationLet’s talk virtualization
Let’s talk virtualizationEtienne Tremblay
 
The Holy Grail of Deployment
The Holy Grail of DeploymentThe Holy Grail of Deployment
The Holy Grail of DeploymentStuart King
 
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...Concentrated Technology
 
TechMentor Fall, 2011 - WDS Tricks You Didn't Know
TechMentor Fall, 2011 - WDS Tricks You Didn't KnowTechMentor Fall, 2011 - WDS Tricks You Didn't Know
TechMentor Fall, 2011 - WDS Tricks You Didn't KnowConcentrated Technology
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting startedALEXANDER BARBOZA
 
How To Create The Ubuntu 20 VM Template For VMware Automation
How To Create The Ubuntu 20 VM Template For VMware AutomationHow To Create The Ubuntu 20 VM Template For VMware Automation
How To Create The Ubuntu 20 VM Template For VMware AutomationReal Estate
 
Sdwest2008 V101 F Dpowerpoint Final
Sdwest2008 V101 F Dpowerpoint FinalSdwest2008 V101 F Dpowerpoint Final
Sdwest2008 V101 F Dpowerpoint FinalStephen Rose
 
TDF Professional Conf 2010 - Rapid Windows 7 Deployments
TDF Professional Conf 2010 - Rapid Windows 7 DeploymentsTDF Professional Conf 2010 - Rapid Windows 7 Deployments
TDF Professional Conf 2010 - Rapid Windows 7 Deploymentsjimboks
 
How to create an identifeye ar game – tech specs
How to create an identifeye ar game – tech specsHow to create an identifeye ar game – tech specs
How to create an identifeye ar game – tech specsOnno Hansen-Staszyński
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting startedsantiago_d
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting startedNaveen Saggu
 

Similaire à Booting an image as a forensically sound vm in virtual box (20)

setting up v ms
setting up v ms setting up v ms
setting up v ms
 
Azure vm resizing the os disk
Azure vm resizing the os diskAzure vm resizing the os disk
Azure vm resizing the os disk
 
Dual boot with a vhd final
Dual boot with a vhd finalDual boot with a vhd final
Dual boot with a vhd final
 
12849144 how-to-install-a-cccam-server-on-windows
12849144 how-to-install-a-cccam-server-on-windows12849144 how-to-install-a-cccam-server-on-windows
12849144 how-to-install-a-cccam-server-on-windows
 
Tech X Virtualization Tips
Tech X Virtualization TipsTech X Virtualization Tips
Tech X Virtualization Tips
 
2 v mware
2 v mware2 v mware
2 v mware
 
Let’s talk virtualization
Let’s talk virtualizationLet’s talk virtualization
Let’s talk virtualization
 
The Holy Grail of Deployment
The Holy Grail of DeploymentThe Holy Grail of Deployment
The Holy Grail of Deployment
 
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...
WinConnections Spring, 2011 - Deploying Windows 7 without the Ridiculous Micr...
 
TechMentor Fall, 2011 - WDS Tricks You Didn't Know
TechMentor Fall, 2011 - WDS Tricks You Didn't KnowTechMentor Fall, 2011 - WDS Tricks You Didn't Know
TechMentor Fall, 2011 - WDS Tricks You Didn't Know
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting started
 
How To Create The Ubuntu 20 VM Template For VMware Automation
How To Create The Ubuntu 20 VM Template For VMware AutomationHow To Create The Ubuntu 20 VM Template For VMware Automation
How To Create The Ubuntu 20 VM Template For VMware Automation
 
Sdwest2008 V101 F Dpowerpoint Final
Sdwest2008 V101 F Dpowerpoint FinalSdwest2008 V101 F Dpowerpoint Final
Sdwest2008 V101 F Dpowerpoint Final
 
TDF Professional Conf 2010 - Rapid Windows 7 Deployments
TDF Professional Conf 2010 - Rapid Windows 7 DeploymentsTDF Professional Conf 2010 - Rapid Windows 7 Deployments
TDF Professional Conf 2010 - Rapid Windows 7 Deployments
 
Deploying w7
Deploying w7Deploying w7
Deploying w7
 
How to create an identifeye ar game – tech specs
How to create an identifeye ar game – tech specsHow to create an identifeye ar game – tech specs
How to create an identifeye ar game – tech specs
 
Virtualization.pdf
Virtualization.pdfVirtualization.pdf
Virtualization.pdf
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting started
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting started
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting started
 

Booting an image as a forensically sound vm in virtual box

  • 1. Booting an image as a forensically-sound VM in VirtualBox Brent Muir
  • 2. Virtual Machine: Forensics  Forensically-sound means that all steps are repeatable & source data is not modified  VM allows for dynamic forensic analysis (e.g. some password recovery, NirSoft tools can be used)  VM can be used to show exactly what the user saw  This method is based on the research by Jimmy Weg (http://justaskweg.com)
  • 3. VirtualBox  All Open Source / freeware tools:  VirtualBox (v 4.2x)  FTK Imager (v 3.x)  Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM passwords)  OpenGates (for hardware/driver issues)
  • 4. STEP 1 MOUNTING YOUR IMAGE  Using FTK Imager mount your suspect’s image as a physical disk (note which physical disk number it is allocated)
  • 5. STEP 2 CREATE & MODIFY A VM  To use VirtualBox you must create a blank .VMDK  Open CMD and navigate to the VirtualBox program folder (C:Program FilesOracleVirtualBox)  Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image: VBoxManage internalcommands createrawvmdk -filename “path_to_wherever_you_want_to_store.vmdk" -rawdisk .PhysicalDriveX X – being the physical drive number of the mounted image
  • 6. STEP 2 CREATE & MODIFY A VM  Once the VMDK file has been created open VirtualBox and create a new VM based on the suspect’s machine  Choose the same OS that was installed on the suspect’s machine
  • 7. STEP 2 CREATE & MODIFY A VM  Point to the newly created VMDK as the virtual HD
  • 8. STEP 2 CREATE & MODIFY A VM  Remove the NIC
  • 9. STEP 2 CREATE & MODIFY A VM  Close the Settings window  Click on “Start” and straight away in the VM console window click on Machine  Take Snapshot  Power off the VM (it won’t boot properly anyway as the physical drive is write-blocked)
  • 10. STEP 2 CREATE & MODIFY A VM  Go back into settings and highlight the Storage options  Remove the newly created VMDK file as the option and add the snapshot VMDK file instead (C:Usersuser_accountVirtualBox VMs...Snapshots)
  • 11. STEP 3 BLANKING SAM PASSWORDS  In Settings menu add the NORDAHL-HAGEN boot ISO as a CD image
  • 12. STEP 3 BLANKING SAM PASSWORDS  Start the VM  Choose to boot from CD  Follow the command prompts to blank the desired password/s and reboot the VM
  • 13. STEP 4 BOOTING YOUR VM  You should now be able to boot the image as a VM  Ensure that you still have the image mounted under FTK Imager as the same Physical Disk number  Essentially what you have done is created a VMDK reference file which points to the Physical Disk and blanked the SAM passwords from the HD (or in this case the snapshot of the system OS)
  • 14. OpenGates  Windows OSes often complain about hardware and system changes in relation to licensing/activation  can result in an inaccessible VM  OpenGates allows you to:  Patch the registry in order to enable legacy IDE drivers  Remove drivers that could conflict with the new hardware  Determine used HAL  If you encounter this issue start VM with OpenGates ISO as first boot option and follow the prompts
  • 15. REFERENCES  Nordahl-Hagen NT Password Reset Boot CD - http://pogostick.net/~pnh/ntpasswd/  NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/  OpenGates - https://www.pinguin.lu/index.php  VirtualBox - http://www.virtualbox.org  Weg, J. http://justaskweg.com/