Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.
Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.
Which file? The disk image (vhd or vmdk or *whatever* you used as the backing file for the install of 7 in Virtualbox?)
What do you mean "convert" with FTK?
You mean FTK imager, right?
Generally speaking, *some* risk with ransomware (and viruses, etc.) is always present, and anyway a forensic machine should be in theory
1) air-gapped
2) freshly installed/reimaged from a verified install
3) have no access to *any* important data
besides to avoid the possibility that the ransomware/virus/whatever may damage the machine or its contents or contents accessible form the machine, also to guarantee (as much as possible) the integrity of the image/files under exam and the reliability of the findings of the investigation.
More specifically with ransomware, as long as you do not execute any of the executable (or scripts, etc.) on the "infected" machine you are safe, still some caution is needed for the settings of the forensic machine, only as an example autoplay should be disabled, i.e. the OS should be either "throwaway" (or "volatile", like a PE or an OS in a ramdisk) or "hardened", see also
https://www.forensicfocus.com/Forums/viewtopic/t=13232/
jaclaz
Hi everyone,
I'm using the virtualbox virtual machine on which I installed windows 7. Then I download a ransomware and ran it. All right.
Now I would like to examine the file with tools for forensic analysis.
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
FTK I run it on the real machine and not on a virtual machine.Which file? The disk image (vhd or vmdk or *whatever* you used as the backing file for the install of 7 in Virtualbox?)
What do you mean "convert" with FTK?
You mean FTK imager, right?
Generally speaking, *some* risk with ransomware (and viruses, etc.) is always present, and anyway a forensic machine should be in theory
1) air-gapped
2) freshly installed/reimaged from a verified install
3) have no access to *any* important databesides to avoid the possibility that the ransomware/virus/whatever may damage the machine or its contents or contents accessible form the machine, also to guarantee (as much as possible) the integrity of the image/files under exam and the reliability of the findings of the investigation.
More specifically with ransomware, as long as you do not execute any of the executable (or scripts, etc.) on the "infected" machine you are safe, still some caution is needed for the settings of the forensic machine, only as an example autoplay should be disabled, i.e. the OS should be either "throwaway" (or "volatile", like a PE or an OS in a ramdisk) or "hardened", see also
https://www.forensicfocus.com/Forums/viewtopic/t=13232/
jaclaz
Hello,
yes FTK imager.
I ran the ransowmare on the virtual windows 7 machine and the files were encrypted. The host system was not infected.
Now I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.
With foremost can I examine the vmdk file or should I convert it to the dd format?
FTK imager is installed on the real machine and what I wanted to know is if I convert the vmdk file with FTK imager, is there the risk of infecting the real machine?
I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.
Wow! You are genius!!! lol
You can use GEMU-IMG for converting the virtual drive to the RAW image.
OR you can use
I want to examine the vmdk file with foremost, scalpel, etc., to see if we can recover the files.
Wow! You are genius!!! lol
Are you ironic? lol
With foremost can I examine the vmdk file or should I convert it to the dd format?
A good question would be which specific .vmdk format?
Hint
My (old) virtualbox uses generally a particular format of vmdk called "monolithicFlat" that is actually two files, one very small (typically less than 1 KB) and another one as large as the virtual disk inside the VBox.
Maybe your version uses the same .vmdk format.
IF there are actually two .vmdk files, if I were you I would try opening the very small one with Notepad.
Then, check this
https://www.forensicfocus.com/Forums/viewtopic/t=15861/
As a side note, there is no such thing as "dd format", the essence of a file created with dd is that it is RAW, i.e. it has NO format.
Anyway FTK can "convert" a .vmdk to dd/RAW just fine
https://
No, no risks in the "conversion".
jaclaz
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
I guess the real question is, when you say "convert", what do you mean?
If the VM is a .vmdk file, there is no need to convert anything…the image will open just fine in FTK Imager.
Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?
My question is, if I convert the file with ftk imager, is there a risk that the real computer will be infected?
I guess the real question is, when you say "convert", what do you mean?
If the VM is a .vmdk file, there is no need to convert anything…the image will open just fine in FTK Imager.
Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?
Convert the file from vmdk to raw.
I have to examine the vmdk file in KaliLinux with the foremost tools, scalpel, etc., to see if I can recover the files.
It is for a purpose of university thesis.
So I need to be able to pass the vmdk file to KaliLinux so that the tools mentioned can examine the disk image.
Do you understand?
Do you understand?
Rest assured the matter is clear, and BTW I already posted the answers to your questions, but you missed answering to the actual questions by keydet89
Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?
jaclaz
Rest assured the matter is clear, and BTW I already posted the answers to your questions, but you missed answering to the actual questions by keydet89
Now, following the Socratic method, if you were to open the image in FTK Imager, what are your thoughts as to how the host system would be infected? What things or steps would have to occur for that to happen?
jaclaz
My doubt is, if I open the vmdk file with ftk imager, is there a risk that the real system may become infected with the opening?
The ransomware process is activated at every startup.