Upload
brent-muir
View
3.455
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)
Citation preview
Booting an image as a
forensically-sound VM in
VirtualBox
Brent Muir
Virtual Machine: Forensics
Forensically-sound means that all steps are repeatable &
source data is not modified
VM allows for dynamic forensic analysis (e.g. some
password recovery, NirSoft tools can be used)
VM can be used to show exactly what the user saw
This method is based on the research by Jimmy Weg
(http://justaskweg.com)
VirtualBox All Open Source / freeware tools:
VirtualBox (v 4.2x)
FTK Imager (v 3.x)
Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM
passwords)
OpenGates (for hardware/driver issues)
STEP 1
MOUNTING YOUR IMAGE Using FTK Imager mount your suspect’s image as a physical
disk (note which physical disk number it is allocated)
STEP 2
CREATE & MODIFY A VM To use VirtualBox you must create a blank .VMDK
Open CMD and navigate to the VirtualBox program folder (C:\Program Files\Oracle\VirtualBox\)
Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image:
VBoxManage internalcommands createrawvmdk -filename “path_to_wherever_you_want_to_store.vmdk" -rawdisk \\.\PhysicalDriveX
X – being the physical drive number of the mounted image
STEP 2
CREATE & MODIFY A VM Once the VMDK file has been created open VirtualBox and
create a new VM based on the suspect’s machine
Choose the same OS that was installed on the suspect’s
machine
STEP 2
CREATE & MODIFY A VM Point to the newly created VMDK as the virtual HD
STEP 2
CREATE & MODIFY A VM Remove the NIC
STEP 2
CREATE & MODIFY A VM Close the Settings window
Click on “Start” and straight away in the VM console window
click on Machine Take Snapshot
Power off the VM (it won’t boot properly anyway as the
physical drive is write-blocked)
STEP 2
CREATE & MODIFY A VM Go back into settings and highlight the Storage options
Remove the newly created VMDK file as the option and add
the snapshot VMDK file instead
(C:\Users\user_account\VirtualBox VMs\...\Snapshots\)
STEP 3
BLANKING SAM PASSWORDS In Settings menu add the NORDAHL-HAGEN boot ISO as a
CD image
STEP 3
BLANKING SAM PASSWORDS Start the VM
Choose to boot from CD
Follow the command prompts to blank the desired
password/s and reboot the VM
STEP 4
BOOTING YOUR VM You should now be able to boot the image as a VM
Ensure that you still have the image mounted under FTK
Imager as the same Physical Disk number
Essentially what you have done is created a VMDK reference
file which points to the Physical Disk and blanked the SAM
passwords from the HD (or in this case the snapshot of the
system OS)
OpenGates Windows OSes often complain about hardware and system
changes in relation to licensing/activation
can result in an inaccessible VM
OpenGates allows you to:
Patch the registry in order to enable legacy IDE drivers
Remove drivers that could conflict with the new hardware
Determine used HAL
If you encounter this issue start VM with OpenGates ISO as
first boot option and follow the prompts
REFERENCES Nordahl-Hagen NT Password Reset Boot CD -
http://pogostick.net/~pnh/ntpasswd/
NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/
OpenGates - https://www.pinguin.lu/index.php
VirtualBox - http://www.virtualbox.org
Weg, J. http://justaskweg.com/