Relation between ev...
 
Notifications
Clear all

Relation between evidences and VMWare

9 Posts
6 Users
0 Likes
600 Views
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Hello people,

I've been lately reading about using VMWare in Forensic Investigations, and the idea seems quite interesing. However, I've downloaded the VMWare Server (for free) and I can't understand how to run a E01 or a dd file with this application. Any suggestions?

Thanks in advance

 
Posted : 12/05/2006 6:03 pm
(@nbeattie)
Posts: 26
Eminent Member
 

There is another thread running that discusses alternatives to VMWare.

Qemu is one you can use that is free and will work with dd files. Worth a look.

Neil

 
Posted : 12/05/2006 8:05 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There is a PPT-to-PDF presentation I have from another forum…I'll ask the author's permission to repost it.

It's unfortunate that others don't seem to see what you're asking…

H

 
Posted : 12/05/2006 10:32 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Thank you guys for your responses, but specially to Keydet89. If you could find that presentation it'd be great, because I am mainly interested in VMWare rather than its alternatives. I suppose there must exist some kind of conversor between MVWare format and the one from DD, EnCase or FTK. Any other suggestion?

Thanks!!

 
Posted : 12/05/2006 10:56 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not sure why you think that there would be some kind of conversion format for going between an EnCase image and a VMWare image…they are two completely different things.

Until I hear back from the author of the presentation, I thought that maybe Google might provide some insight
http//www.guidancesoftware.com/support/articles/HDRestoreEnCaseVMWare.asp

http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=99
(scroll down to Mark777's method…)

…etc….

 
Posted : 13/05/2006 3:23 pm
(@jimmyw)
Posts: 64
Trusted Member
 

If you have access to the ForensicWiki, I posted an article on booting dd images with VMware. http//www.sandersonforensics.com/wiki/index.php?title=Virtual_Machine. In my experience, if you use the method I described, or the one in the paper that I cited, you should have a very high rate of success (95%+). My process will not work directly with E01 files, but you can use them if you mount them (with Mount Image Pro) and restore them to a virtual disk. Of course, you can always convert an E01 to dd. One you have a dd image, you can use it directly without alteration or the need to restore it to a virtual disk.

 
Posted : 13/05/2006 7:41 pm
(@jsawyer)
Posts: 35
Eminent Member
 

I am cheating by including an e-mail I had sent to the WindowsForensicAnalysis Yahoo Group back in March. In addition to what is below for VMware Player/Workstation, you can use AccessData's FTK Imager to convert your E01 file to a dd image. It is a free tool and is a good tool to keep on a USB drive. http//www.accessdata.com/support/downloads/

<SNIP>
There are lots of free options out there using VMware Player. Since this
is a Windows related forensics list, I will stick to only Windows related answers. Below are many links that describe how to create configuration files that can be used with VMware Player (and workstation). You can create them manually or using some tools that have been created to make the files based on OS specifications you provide. I would recommend reading the pages that describe how the config files work before using the automated tools so you can troubleshoot better if something goes wrong. Keep us posted on your success as I am sure others on this list would like to know also.

http//chitchat.at.infoseek.co.jp/vmware/vdk.html (This was probably the
first article about how to use VMware Player and create your own VMs)

http//www.lorenzoferrara.net/pivot/entry.php?id=73

http//www.skrodahl.net/easyvmx/

http//www.consolevision.com/members/dcgrendel/vmxform.html

http//petruska.stardock.net/software/VMware/ (create and modify
existing virtual disks and configs)

http//sanbarrow.com/
</SNIP>

 
Posted : 14/05/2006 12:19 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

I did it! I finally could "run" an EnCase evidence file by using VMWare Server. It seems quit useful to make a forensic analysis from the live-system-point-of-view with several other tools.
However… I still have one question I would like someone to clarify it if possible… what are the differences between the VMWare Server (which is free downloadable!!) and the VMWare Workstation (which is definitely not!!)?

 
Posted : 17/05/2006 9:00 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

If you have access to the ForensicWiki, I posted an article on booting dd images with VMware. http//www.sandersonforensics.com/wiki/index.php?title=Virtual_Machine. In my experience, if you use the method I described, or the one in the paper that I cited, you should have a very high rate of success (95%+). My process will not work directly with E01 files, but you can use them if you mount them (with Mount Image Pro) and restore them to a virtual disk. Of course, you can always convert an E01 to dd. One you have a dd image, you can use it directly without alteration or the need to restore it to a virtual disk.

thanks Jimmy - FYI the wiki can now be accessed at www.forensicwiki.com

cheers
Paul

 
Posted : 17/05/2006 9:52 pm
Share: