Forensic examiners usually acquire images from suspect’s PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let’s say the target computer is one of the VMs on a server, what will you to acquire this VM?

Forensic guy 008 says that he will power off this VM and use EnCase or FTK to directly analyze those vmdk files. Yes EnCase/FTK could add vmdk file as evidence, but only few things found after processing. 008 couldn’t help wondering that EnCase/FTK could “see” everything inside those vmdk files or not?

Forensic guy 007 decides to use forensic sound bootable LiveCD to acquire this VM。First he changes the boot order in BIOS setting of that VM to make sure“CD-ROM Drive”the first priority.

When powering on 007 could see the menu of Sumuri Paladin LiveCD, all he has to do is enter “Forensics Mode”.

007 uses Paladin toolbox to acquire this VM and the image type is EWF(E01). He also inputs some image details such as case number、evidence number、examiner name, etc.

By the way do not forget to verify hash values after acquiring.

Paladin starts to acquire images from this VM. Once done you could use forensics tools to analyze these evidence files. I bet 007 extract more evidence than 008 did.

Use LiveCD to acquire images from a VM的更多相关文章

  1. VirtualBox上使用kubeadm安装Kubernetes集群

    之前一直使用minikube练习,为了更贴近生产环境,使用VirtualBox搭建Kubernetes集群. 为了不是文章凌乱,把在搭建过程中遇到的问题及解决方法记在了另一篇文章:安装Kubernet ...

  2. PowerShell Script to Deploy Multiple VM on Azure in Parallel #azure #powershell

    Since I need to deploy, start, stop and remove many virtual machines created from a common image I c ...

  3. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  4. Extended VM Disk In VirtualBox or VMware (虚拟机磁盘扩容)

    First, Clean VM all snapshot, and poweroff your VM. vmdk: vmware-vdiskmanager -x 16GB myDisk.vmdk vd ...

  5. Hyper-V2:向VM增加虚拟硬盘

    使用Hyper-V创建VM,在VM成功安装OS之后,发现VM只有一个逻辑盘C,用于存储VM的操作系统.在产品环境中,需要向VM增加虚拟硬盘,便于将数据单独存储在不同的逻辑盘符中.在Hyper-V中,分 ...

  6. PMON failed to acquire latch, see PMON dump

    前几天,一台Oracle数据库(Oracle Database 10g Release 10.2.0.4.0 - 64bit Production)监控出现"PMON failed to a ...

  7. x01.os.23: 制作 linux LiveCD

    1.首先运行如下命令  sudo apt-get install wget bc build-essential gawk genisoimage 2.下载如下资源,make all 即可 http: ...

  8. myeclipse 无法启动 java.lang.IllegalStateException: Unable to acquire application service. Ensure that the org.eclipse.core.runtime bundle is resolved and started (see config.ini).

    把myeclipse10 按照目录完整拷贝到了另外一台电脑, 另外的目录 原安装目录 D\:\soft\i\myeclipse10 新安装目录 E\:\soft\myeclipse10 双击启动失败, ...

  9. ORA-00054: resource busy and acquire with NOWAIT specified

    删除表时遇到 ORA-00054:资源正忙,要求指定NOWAIT 错误.以前在灾备中心遇到过. 资源被锁定了,没有办法删除. 报错日志:ORA-00054: resource busy and acq ...

随机推荐

  1. ELK开机启动 service文件内容

    为了实现ELK的3部分开机启动,可以添加各项服务对应的service文件,再通过systemctl enable XXX实现ELK所有服务开机启动. Elasticsearch elasticsear ...

  2. Sublime Text 3 配置分析与我的配置---小结

    Sublime Text 3 配置解释(默认){// 设置主题文件"color_scheme": "Packages/Color Scheme – Default/Mon ...

  3. Python学习_02_数字和运算

    python具有强大的科学运算功能,python由于支持更加强大的面向对象和动态特性,相比R语言.matlab.mathmatic等传统的科学计算工具具有非常大的优势. Python的数字 pytho ...

  4. 每天学一点Docker(6)——镜像和DockerFile

    镜像的分层结构: 实际上,Docker Hub 中 99% 的镜像都是通过在 base 镜像中安装和配置需要的软件构建出来的.比如我们现在构建一个新的镜像,Dockerfile 如下: ① 新镜像不再 ...

  5. 【链表】BZOJ1588: [HNOI2002]营业额统计

    1588: [HNOI2002]营业额统计 Time Limit: 5 Sec  Memory Limit: 162 MBSubmit: 17555  Solved: 7179[Submit][Sta ...

  6. linux下安装ffmpeg

    1. 首先安装系统编译环境  yum install -y automake autoconf libtool gcc gcc-c++  #CentOS 2. 编译所需源码包 #yasm:汇编器,新版 ...

  7. HTTPS协议开通,Apache服务器CSR签名申请

    登录您的服务器终端 (SSH). 在命令提示符下,键入以下命令: openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -ou ...

  8. mongodb 的基本函数语法封装

    //这个模块里面封装了所有对数据库的常用操作 var MongoClient = require('mongodb').MongoClient; var config = require(" ...

  9. Android开发之漫漫长途 XI——从I到X的小结

    该文章是一个系列文章,是本人在Android开发的漫漫长途上的一点感想和记录,我会尽量按照先易后难的顺序进行编写该系列.该系列引用了<Android开发艺术探索>以及<深入理解And ...

  10. Vivado常见问题集锦

    5. Vivado软件更新新版后更新IP 当更新到新版本的Vivado后,之前的一些工程的IP是不能直接打开使用的,这个时候我们只需要使用新版本的Vivado更新一下每个工程的IP即可,使用新版本Vi ...