Forensic examiners usually acquire images from suspect’s PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let’s say the target computer is one of the VMs on a server, what will you to acquire this VM?

Forensic guy 008 says that he will power off this VM and use EnCase or FTK to directly analyze those vmdk files. Yes EnCase/FTK could add vmdk file as evidence, but only few things found after processing. 008 couldn’t help wondering that EnCase/FTK could “see” everything inside those vmdk files or not?

Forensic guy 007 decides to use forensic sound bootable LiveCD to acquire this VM。First he changes the boot order in BIOS setting of that VM to make sure“CD-ROM Drive”the first priority.

When powering on 007 could see the menu of Sumuri Paladin LiveCD, all he has to do is enter “Forensics Mode”.

007 uses Paladin toolbox to acquire this VM and the image type is EWF(E01). He also inputs some image details such as case number、evidence number、examiner name, etc.

By the way do not forget to verify hash values after acquiring.

Paladin starts to acquire images from this VM. Once done you could use forensics tools to analyze these evidence files. I bet 007 extract more evidence than 008 did.

Use LiveCD to acquire images from a VM的更多相关文章

  1. VirtualBox上使用kubeadm安装Kubernetes集群

    之前一直使用minikube练习,为了更贴近生产环境,使用VirtualBox搭建Kubernetes集群. 为了不是文章凌乱,把在搭建过程中遇到的问题及解决方法记在了另一篇文章:安装Kubernet ...

  2. PowerShell Script to Deploy Multiple VM on Azure in Parallel #azure #powershell

    Since I need to deploy, start, stop and remove many virtual machines created from a common image I c ...

  3. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  4. Extended VM Disk In VirtualBox or VMware (虚拟机磁盘扩容)

    First, Clean VM all snapshot, and poweroff your VM. vmdk: vmware-vdiskmanager -x 16GB myDisk.vmdk vd ...

  5. Hyper-V2:向VM增加虚拟硬盘

    使用Hyper-V创建VM,在VM成功安装OS之后,发现VM只有一个逻辑盘C,用于存储VM的操作系统.在产品环境中,需要向VM增加虚拟硬盘,便于将数据单独存储在不同的逻辑盘符中.在Hyper-V中,分 ...

  6. PMON failed to acquire latch, see PMON dump

    前几天,一台Oracle数据库(Oracle Database 10g Release 10.2.0.4.0 - 64bit Production)监控出现"PMON failed to a ...

  7. x01.os.23: 制作 linux LiveCD

    1.首先运行如下命令  sudo apt-get install wget bc build-essential gawk genisoimage 2.下载如下资源,make all 即可 http: ...

  8. myeclipse 无法启动 java.lang.IllegalStateException: Unable to acquire application service. Ensure that the org.eclipse.core.runtime bundle is resolved and started (see config.ini).

    把myeclipse10 按照目录完整拷贝到了另外一台电脑, 另外的目录 原安装目录 D\:\soft\i\myeclipse10 新安装目录 E\:\soft\myeclipse10 双击启动失败, ...

  9. ORA-00054: resource busy and acquire with NOWAIT specified

    删除表时遇到 ORA-00054:资源正忙,要求指定NOWAIT 错误.以前在灾备中心遇到过. 资源被锁定了,没有办法删除. 报错日志:ORA-00054: resource busy and acq ...

随机推荐

  1. 解决360随身wifi每天首连频繁断线

    经本人试过几个星期是可以的,需要的话加微新备注:solq123987654

  2. Generation Axe 吉他之夜音乐会-广州站 感受

    本人第一次看音乐会,演唱会跟音乐会是有区别的哈,演唱会以表演.舞蹈.歌唱为主,还有很多特别嘉宾 演出时间: 从20点开始一直到23点多才结束,有五个吉他手,开场跟结束五个吉他手一齐演出.平均每个人表演 ...

  3. Java Web高级编程(二)

    使用会话维持状态 一.会话 为了实现关联同一个用户端的多个请求和这些请求之间数据的共享,需要用到会话,会话用于维持请求和请求之间的状态.从服务器的角度,当用户的Web浏览器打开第一个链接到服务器的套接 ...

  4. Linux : screen 工具详解

    转自:http://www.cnblogs.com/mchina/archive/2013/01/30/2880680.html [ Screen 官方站点 ] 背景 系统管理员经常需要SSH 或者t ...

  5. JS 监听微信、支付宝等移动app及浏览器的返回、后退、上一页按钮的事件方法

    在实际的应用中,我们常常需要实现在移动app和浏览器中点击返回.后退.上一页等按钮实现自己的关闭页面.调整到指定页面或执行一些其它操作的需求: 那在代码中怎样监听当点击微信.支付宝.百度糯米.百度钱包 ...

  6. 第一章 Linux系统概述

    linux是真正的多用户.多任务操作系统,他继承了UNIX系统的主要特征,具有强大的信息处理功能,特别在Internet和Intranet的应用中占有明显优势. 1.1计算机基础知识 计算机分为硬件和 ...

  7. JS 时间转换为时间戳

    Date.prototype.format = function(fmt) { var o = { "M+" : this.getMonth()+1, //月份 "d+& ...

  8. Java学习笔记3(数组)

    1.数组的定义: 第一种: public class ArrayDemo{ public static void main(String[] args){ //定义数组 int [] arr = ne ...

  9. 6年后的第一篇博客:进入java的精彩世界

    10的.NET从业经验,也算资深人士了. 2018开始,正式进入JAVA的世界. 为什么说正式?因为已经附带有几年ANDROID经验了,确切的说,是正式进入JAVA服务器端. 没有任何人要求,纯粹是个 ...

  10. 【Splay】bzoj1500(听说此题多码上几遍就能不惧任何平衡树题)

    1500: [NOI2005]维修数列 Time Limit: 10 Sec  Memory Limit: 64 MBSubmit: 15112  Solved: 4996[Submit][Statu ...