When it comes to booting up evidence files acquired from target disk, you got two options. One is VFC and the other is Live View. Both of them could create snapshots out of images such as EWF(E01). So forensic examiners could conduct a live forensic as if suspect's computer/laptop is in front of them.

Some may ask if there is another option to bootup evidence files. And the answer is "yes". I will show you the combination of FTK Imager and Oracle VirtualBox. First we have to mount evidence files with Admin privileges.

Now we know these evidence files mounted as "PhysicalDrive1". So we have to create vmdk out of this physical drive. Look! It also requires Admin Privileges to run this command prompt.

If everything is fine and the result shows that we successfully create vmdk files from PhysicalDrive1.

Next we have to create a Virtual Machine by choosing the existing vmdk files we created as above.

Finally we could bootup suspect's computer/laptop and conduct a live forensics.

Another option to bootup evidence files的更多相关文章

  1. LiveView 0.8 RC1 could boot evidence files acquired from Win10 64bit

    The latest Windows 10 will be more and more popular in the very near future. Now let's take a look i ...

  2. EnCase missed some usb activities in the evidence files

    My friend is a developer and her colleague May was suspected of stealing the source code of an impor ...

  3. RH033读书笔记(12)-Lab 13 Finding and Processing Files

    Sequence 1: Using find Scenario: Log in as user student. Devise and execute a find command that prod ...

  4. Git操作删除 untracked files

    最近使用git 管理项目的时候,编译过程中出现了很多中间文件,今天发现使用 git clean 命令可以很方便进行清除: # 删除 untracked files git clean -f # 连 u ...

  5. [已解决] 含gorm、sqlite3包的go程序构建失败 C:\Program Files\Go\pkg\tool\windows_amd64\link.exe: running gcc failed: exit status 1

    gorm官方文档教程实例,构建出现错误.C:\Program Files\Go\pkg\tool\windows_amd64\link.exe: running gcc failed: exit st ...

  6. How to bypass Win10 logon password?

    Usually we will use LiveView or VFC to "boot up" the evidence files acquired from suspect' ...

  7. Fedora 22中的RPM软件包管理工具

    Introduction The RPM Package Manager (RPM) is an open packaging system that runs on Fedora as well a ...

  8. [No000098]SVN学习笔记5-分支,合并,属性,补丁,锁,分支图

    行结束符和空白选项 在项目的生命周期中,有时可能会将行结束符由 CRLF 改为 LF,或者修改一段代码的缩进.不幸的是这样将会使大量的代码行被标记为已修改,尽管代码本身并没有被修改.这里列出的选项将会 ...

  9. centos 7.0 编译安装php 7.0.3

    php下载页面 http://cn2.php.net/downloads.php 7.0.3多地区下载页面 http://cn2.php.net/get/php-7.0.3.tar.gz/from/a ...

随机推荐

  1. 设计模式-外观模式(Facade)

    外观模式又称为门面模式,为一组类似功能的集群,比如类库.子系统等,提供一致的入口供client调用 角色和职责: 1.门面(Facade)-Computer: 外观模式的核心.它被客户角色调用,它熟悉 ...

  2. kafka源码分析(二)Metadata的数据结构与读取、更新策略

    一.基本思路 异步发送的基本思路就是:send的时候,KafkaProducer把消息放到本地的消息队列RecordAccumulator,然后一个后台线程Sender不断循环,把消息发给Kafka集 ...

  3. c# bool类型和int类型的互转

    项目过程中,会有model的一些属性字段为‘是’或‘否’ 数据库字段一半定义为int,值则是0或1 数据库model转实体类的时候,bool和int可以直接相互转换 false强转int 值就是0 t ...

  4. 利用iisnode模块,让你的Node.js应用跑在Windows系统IIS中

    最近比较喜欢用Node.js做一些简单的应用,一直想要部署到生产环境中,但是手上只有一台windows server 2008服务器,并且已经开启了IIS服务,运行了很多.Net开发的网站,80端口已 ...

  5. ZIP:Checksum

    Checksum: long getValue() :返回当前的校验和值. void reset() :将校验和重置为其初始值. void update(byte[] b, int off, int ...

  6. 宽字符转窄字符CW2AEX<>(szAreaInfo,CP_UTF8)

    CString szAreaInfo; CW2AEX<>(szAreaInfo,CP_UTF8); 最好能像上面这样转换,否则汉字就会转成乱码.

  7. 洛谷P4995 跳跳!题解

    求关注,求赞,求评论QAQ 题目:https://www.luogu.org/problemnew/show/P4995 简单描述一下吧,就是说有n块石头,起始可以跳到任何一块上面,接着也是,只不过每 ...

  8. RabbitMQ 从入门到精通(二)

    目录 1. 消息如何保障百分之百的投递成功? 1.1 方案一:消息落库,对消息状态进行打标 1.2 方案二:消息的延迟投递,做二次确认,回调检查 2. 幂等性 2.1 幂等性是什么? 2.2 消息端幂 ...

  9. 个人永久性免费-Excel催化剂功能第56波-获取Excel对象属性相关自定义函数

    之前零散开发过一些自定义函数获取Excel对象属性,此次再细细地把有价值的属性都一一给开发完成,某些场景下,有这些小函数还是可以比较方便地实现一些通过Excel界面没法轻松获取到的信息. 修复与更新 ...

  10. Tiny Counting

    也许更好的阅读体验 样例一 输入 4 1 4 3 2 输出 3 样例二 输入 5 9 1 0 0 5 输出 8 题解 这是本人自己想了2个半小时才想出来的方法,稍稍有点复杂但是很好理解 题目的意思就是 ...