Comments on: Breaking Forensic Images Booted as a Virtual Machine http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine Rendering computer investigations irrelevant Wed, 01 Sep 2010 22:00:29 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: KenTheFurry http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-218 KenTheFurry Wed, 14 Apr 2010 12:24:25 +0000 http://www.anti-forensics.com/?p=228#comment-218 Wouldn't this also mess up the chain of evidence? If they decided to remove the program so they could look around and they got evidence from their "edited" copy, couldn't a good lawyer say they added what ever they found themself's because of the modified hash? But it probably wouldn't be that hard for them to explain them selfs; all it takes is one juror. Wouldn’t this also mess up the chain of evidence?
If they decided to remove the program so they could look around and they got evidence from their “edited” copy, couldn’t a good lawyer say they added what ever they found themself’s because of the modified hash?

But it probably wouldn’t be that hard for them to explain them selfs; all it takes is one juror.

]]> By: Yar http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-41 Yar Fri, 20 Mar 2009 03:12:07 +0000 http://www.anti-forensics.com/?p=228#comment-41 Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription. You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx Then you can run it from a terminal in a Linux environment. Sure Bob. LinEn is the free Linux acquisition tool from Guidance. The HELIX3 distribution does contain it but I believe HELIX3 has just gone to a paid monthly subscription.

You can download LinEn itself from here: http://www.guidancesoftware.com/support/LinEn_LicenseAgreement.aspx

Then you can run it from a terminal in a Linux environment.

]]> By: Bob Bolin http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-38 Bob Bolin Fri, 20 Mar 2009 00:45:37 +0000 http://www.anti-forensics.com/?p=228#comment-38 Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I'm not a forensics man after tools on the cheap! :D Can anyone suggest where I can download a copy of the Encase LinEn iso for free? Just for research, I’m not a forensics man after tools on the cheap! :D

]]> By: John Doe http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-29 John Doe Tue, 17 Mar 2009 20:28:48 +0000 http://www.anti-forensics.com/?p=228#comment-29 Nice article! Thanks for the source, will play around with it a bit :) Currently looking into anti-vm techniques. Here an interesting document: http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf Nice article! Thanks for the source, will play around with it a bit :)

Currently looking into anti-vm techniques. Here an interesting document:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

]]> By: Yar http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-15 Yar Tue, 10 Mar 2009 23:45:21 +0000 http://www.anti-forensics.com/?p=228#comment-15 Hey PC646, thanks for the encouragement :] If you are using the free FTK imager to image your drives then they'll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare. You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy. LiveView is free and can be downloaded here: http://liveview.sourceforge.net/ It supports: Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98 Linux (limited support) There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition. LiveView is very easy to use once you mess around with it a bit. It's basically just: 1. Add all images to path 2. Create directory for VMWare and LiveView temp files 3. Set RAM to desired level 4. Start it I've used both LiveView and MountImagePro a lot and I have to say I love both. Hey PC646, thanks for the encouragement :]

If you are using the free FTK imager to image your drives then they’ll be in DD or raw format. This is what LiveView requires in conjunction with an installation of VMWare.

You can use the free VMWare server or Workstation. I have used the free server version but prefer workstation with live view as it seems to be less buggy.

LiveView is free and can be downloaded here: http://liveview.sourceforge.net/

It supports:
Windows 2008, Vista, 2003, XP, 2000, NT, Me, 98
Linux (limited support)

There are other products, one being Mount Image Pro which works great and supports EnCase format disk images as well (.E0*) that you would get using Linen or Encase to do your acquisition.

LiveView is very easy to use once you mess around with it a bit. It’s basically just:
1. Add all images to path
2. Create directory for VMWare and LiveView temp files
3. Set RAM to desired level
4. Start it

I’ve used both LiveView and MountImagePro a lot and I have to say I love both.

]]> By: PC646 http://www.anti-forensics.com/breaking-forensic-images-booted-as-a-virtual-machine/comment-page-1#comment-14 PC646 Tue, 10 Mar 2009 22:21:04 +0000 http://www.anti-forensics.com/?p=228#comment-14 I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work. I use FTK imager for my own copies, but how do I convert an image file into a functioning os on vmware? Can you point me in the right direction. Love your site, keep up the good work.

]]>