±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 101

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

VM Ware

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

debaser_
Senior Member
 

VM Ware

Post Posted: Jan 23, 06 23:06

Does anyone use VMware in any part of the investigations? I use windows for my day to day tasks and hate to reboot to use a live cd or my debian install. I have decided just to create a virtual debian install under which to run TSK. Just wondering if anyone else goes for this approach.  
 
  

keydet89
Senior Member
 

Re: VM Ware

Post Posted: Jan 24, 06 00:01

To answer your first question, I use VMWare all the time. I have XP Home as my base system, and VM images for XP Pro, 2K, and 2K3. It's great for testing, imaging, etc.

Harlan  
 
  

Andy
Senior Member
 

Re: VM Ware

Post Posted: Jan 24, 06 01:13

Same here, IMHO VMWare is a must have for Forensic Computing. I have a library of guest OS's to work and play with. I like the 'Team' feature, where you can create virtual networks. Great for testing system settings and experiments.

Andy  
 
  

bshavers
Senior Member
 

Re: VM Ware

Post Posted: Jan 28, 06 04:36

I also use VMWare for restoration of images for several reasons.
1) When I don't have the software to view certain files from the suspect machine, I restore the image and view them that way;
2) To show to court, lawyers, or investigators what the suspect machine looked like when running (with video and screen captures as well). Jurors will more easily understand explanations of how programs are set to run automatically (as an example) when they can see it happening real time, just like their computer at home;
3) When a restoration is not possible on the suspect machine, and/or I expect lots of hardware issues on a different machine for restoration, I'll do it in VMWare instead of a real machine as VMWare takes care of many restoration issues.
4) To prove/disprove allegations that the computer has a 'ghost/virus' in it when the evidence was downloaded/copied/printed, etc... by running the programs real time.The use of VMWare is endless for forensics.  

Last edited by bshavers on Dec 19, 08 02:02; edited 2 times in total
 
  

keydet89
Senior Member
 

Re: VM Ware

Post Posted: Jan 28, 06 17:14

Brett,

> Jurors will more easily understand

Thanks for bringing up this extremely important side of forensic analysis and presentation. In many cases, this is what it comes down to...does a jury understand?

Harlan  
 
  

debaser_
Senior Member
 

Re: VM Ware

Post Posted: Jan 28, 06 20:11

- bshavers
[align=justify]I also use VMWare for restoration of images for several reasons.
1) When I don't have the software[align=justify] to view certain files from the suspect machine, I restore the image and view them that way;
2) To show to court, lawyers, or investigators what the suspect machine looked like when running (with video and screen captures as well). Jurors will more easily understand explanations of how programs are set to run automatically (as an example) when they can see it happening real time, just like their computer at home;
3) When a restoration is not possible on the suspect machine, and/or I expect lots of hardware issues on a different machine for restoration, I'll do it in VMWare instead of a real machine as VMWare takes care of many restoration issues.
4) To prove/disprove allegations that the computer has a 'ghost/virus' in it when the evidence was downloaded/copied/printed, etc... by running the programs real time.The use of VMWare is endless for
forensics.
[/align]



You have a machine up and running in the court room ? Or you have a video demonstration that you show them? Either way still a good idea. Its little things like this that bring a human element into the mix, and i like that. Things get too dry and boring when its all bits and bytes.  
 
  

bshavers
Senior Member
 

Re: VM Ware

Post Posted: Jan 29, 06 11:29

Best is to practice before court to make the best video. Bring the recorded video in case the real-time suspect drive does what technology usually does (malfunction at the most important times...) so that can be shown as a back up. Also, when I am demonstrating a restored suspect drive with VMWare, I capture it as a video at the same time (VMWare can do that for it), and leave that video file to the attorney/detective/etc... for their reference.

Another nice feature is the ability to create 'snapshots' in time, in order to always be able to start from the freshly restored drive without having to restore from the beginning.

Ok, another nice feature I have found to be beneficial (and cheap), is using the free VM Player. The general detectives in my agency have the ability to view restored drives given to them by examiners which they can view on their desktop. No need to purchase the full versions when the detectives can benefit viewing the machines.

Just can't say enough about VMWare.  
 

Page 1 of 3
Page 1, 2, 3  Next