Linux base, Windows...
 
Notifications
Clear all

Linux base, Windows VM Forensics.

2 Posts
2 Users
0 Likes
338 Views
(@buster)
Posts: 28
Eminent Member
Topic starter
 

Is anyone conducting forensic examinations using a Linux host and running Windows (variants) in a VM so that EnCase, FTK etc can be used. I have read a few short entries on various forums that some practitioners are using a Mac base with VMware Fusion or Parallels for all investigations.

If you are, perhaps you could throw up some comments regarding the best distro to use as a base, the most useful VM with regards to interoperability between guest and host such as drag and drop between them etc etc. Are there any dongle issue's or other problems that would prevent this kind of setup being usable?

Any thoughts would be useful.

Stu

 
Posted : 21/10/2008 9:45 pm
(@echo6)
Posts: 87
Trusted Member
 

Hi Stu! )

We are using Ubuntu 8.10.1 x86_64. Only sad issue thus far is smart-mount binary is not available for x86_64 although boxy and Andy Rosen have assured me that there will be a binary available soon!

No surprise though that all the other Open Source forensic tools work sweetly -)

FTK2 sucks, sorry AccessData!..not tried 1.8x.
EnCase crashes frequently as expected LOL..no seriously it is OK, although there are performance overheads, but I'm sure with appropriate and careful choice of hardware you could minimise this.

Advantages for using x86_64;
Can utilise and allocate memory more efficiently to a vmware machine.
Separation of case per vm machine as needed.
Can maintain and allocate a base image on a case by case basis.
Some issues we have experienced though are as follows;
Raw access to evidence files, I prefer to use vm shares, slight overhead but not really noticeable, IME better than network shares, having said that for access to certain files within our lab we use windows shares.
Ah..forgot..there is a bug with Ubuntu and Windows shares that we haven't been able to resolve, not really too much of an issue but it can be confusing when navigating.
A further issue with Windows shares, a limitation with Windows rather than Linux, but care needs to be taken when considering case sensitive directories or files.
Complex keyword searches take more time.
Sometimes display of objects can also take more time, and you notice lag more when moving around.
White screen of death still plagues EnCase 😉

Personal opinion based on experience thus far. Wish we had better hardware to cope, perhaps we are expecting too much. Perhaps two separate forensic workstations, one with Windows and one for Linux would be better. Having said that on certain cases I'm finding it extremely useful to have the flexibility of Linux as the main OS and vmware for hosting EnCase and other forensic tools.

n.b. Our hardware consists of dual quad core Xeon cpus with 8gb of ram, the forensic workstation are approaching 18months to 2 years of age.

 
Posted : 22/10/2008 3:31 am
Share: