±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35520
New Yesterday: 6 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensics virtualization

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Ibernato
Newbie
 

Forensics virtualization

Post Posted: Apr 18, 19 13:56

Hi,
I'm new to the world of forensics. At university I'm taking a course and I'm passionate about this subject.
We have seen the techniques for analyzing the contents of RAM, hard disk and so on.
Now I'd like to do a project on forensic cloud, in particular on virtualization.
Do you have any guide or do you know any tools to analyze the virtualized environment (Vbox for example)  
 
  

Omnius
Member
 

Re: Forensics virtualization

Post Posted: Apr 18, 19 14:16

You can quite easily create a VM in VirtualBox with a hard drive image. Found Linux/Windows OS easier to VM than Mac OSX. But they can still be a bit tricky.


Here's a quick little guide for VirtualBox:

1. Mount image of the HDD in FTK for example as Block Device/Writable (note the physical disk number).

2. Load up VirtualBox

3. Open Command Prompt, enter "cd C:\Program Files\Oracle\VirtualBox" and execute, following that enter:

"vboxmanage internalcommands createrawvmdk -filename "C:\CHOOSE YOUR PATH\NAME.vmdk" -rawdisk \\.\PhysicalDrive#"

Replace the # with the drive number you noted earlier.


You should now have a VMDK created in your location of choosing. If you have an error about it being unable to create the file, run everything again as Admin.

You can now create a new VM within VirtualBox and selecting the VMDK you created as an existing drive.

Be aware that by default a shared internet connection is created, make sure that this is disabled in settings.


As for your project, maybe take a look at Microsoft OneDrive, it can create some interesting files such as reparse points etc  
 
  

Ibernato
Newbie
 

Re: Forensics virtualization

Post Posted: Apr 18, 19 15:56

HI,
let's see if I understood correctly.
I now have a virtual machine on which I have installed Windows 10.
Now, to do forensic analysis of the virtual machine, with FTK manager I have to create a copy of the Windows 10 image of the virtual machine.
Quite right?  
 
  

jaclaz
Senior Member
 

Re: Forensics virtualization

Post Posted: Apr 18, 19 16:12

- Ibernato

Now I'd like to do a project on forensic cloud, in particular on virtualization.
Do you have any guide or do you know any tools to analyze the virtualized environment (Vbox for example)


Excuse me, but I don't get it.

VirtualBox in itself is (only) a (local) virtual machine, i.e. a software reproducing (in an as accurate way as possible) a "real" (local) machine, it is analyzed exactly (or in a very, very similar way ) as a "real" (local) machine.

Cloud is an entirely different topic/methodology/etc., and has a number of sub-topics, a virtual machine on the cloud is only one of them, see as a quick reference:
www.techopedia.com/7/2...ualization

Starting from Virtualbox 6.0 you can export the VM to Oracle Cloud, and there are Cloud services offering VirtualBox in the cloud, *like*:
hostedvirtualbox.com/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Rich2005
Senior Member
 

Re: Forensics virtualization

Post Posted: Apr 18, 19 16:17

I'm not entirely sure about the question, but if you have access to the files that make up the virtualized environment, ie primarily the disk image of the virtualized environment (ie a vmdk for VMWare) then most modern forensic tools, should be able to parse it for you, to examine as you would any other disk. I think they probably will too for virtualbox VDIs too (although less sure about that off the top of my head).  
 

Page 1 of 1