Starting with V7 of OSForensics, booting a forensic image of a system disk as a virtual machine has never been easier. Previously, this process was typically conducted using various 3rd party Linux tools and required many cumbersome steps. This ‘manual’ way also required the user to convert their forensic image to a RAW image format if it happened to be in a more popular image format such as .E01 for example. Show
When performing forensic investigation on an image of a target system drive, it is often necessary to recreate and examine the live environment of the system to acquire all relevant data during the investigation. By running the image as a live system, the investigator can perform a live forensic analysis of the image, allowing for the potential discovery of additional forensic artifacts that may not have been previously uncovered from a traditional static analysis. Finally, because the system is running in a protected virtual environment created from the forensic image file, there is no risk of compromising the target system. Advantages of using OSForensics for this method of analysis include:
To access this feature from the Start screen, simply click the Boot Virtual Machine icon or module button as shown above. Users simply need to point OSF to the forensic image file of the target O/S drive, review a few other options and features and click the ‘Boot VM’ button. Steps
After clicking ‘Boot VM’, the real-time log with begin recording all of the processes taking place behind the scenes. Once completed, your VM software will launch and the selected user account will boot… Analyzing the Live SystemOnce the boot process is complete, you may begin analyzing and searching through the live system. In addition to being able to review the Desktop layout, the Recycle Bin, and proprietary files in their native application, this also provides a great visual aid for screenshotting evidence to present to a client or in court when necessary. Screenshots allow you to capture evidence files and artifacts just as they may have appeared through the eyes of the user. Some examples include…
For a tutorial on how to create a Virtual Machine from a Forensic Disk Image, please see the below video.
How is forensics analysis conducted in these virtual machines?The hard disk is then imaged using any of the many tools available for imaging a disk such as dd, FTK Imager, EnCase, etc. This image is then used by a forensics investigator to conduct an analysis of the events the machine may have experienced.
What are the five 5 steps of digital forensics?“Digital forensics is the process of uncovering and interpreting electronic data.. Identification. First, find the evidence, noting where it is stored.. Preservation. ... . Analysis. ... . Documentation. ... . Presentation.. How can virtual machines be used for analysis in a digital forensics case?Virtualization is also key to forensic investigations because it allows authorities to view the digital environment in exactly the same way the suspect did. Although this may not be appropriate for every situation, an intruder who compromises a virtual system can likely compromise the host machine as well.
Which of the following are steps in the digital forensic process?The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.
|