Forensic examiners usually acquire images from suspect’s PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let’s say the target computer is one of the VMs on a server, what will you to acquire this VM?

Forensic guy 008 says that he will power off this VM and use EnCase or FTK to directly analyze those vmdk files. Yes EnCase/FTK could add vmdk file as evidence, but only few things found after processing. 008 couldn’t help wondering that EnCase/FTK could “see” everything inside those vmdk files or not?

Forensic guy 007 decides to use forensic sound bootable LiveCD to acquire this VM。First he changes the boot order in BIOS setting of that VM to make sure“CD-ROM Drive”the first priority.

When powering on 007 could see the menu of Sumuri Paladin LiveCD, all he has to do is enter “Forensics Mode”.

007 uses Paladin toolbox to acquire this VM and the image type is EWF(E01). He also inputs some image details such as case number、evidence number、examiner name, etc.

By the way do not forget to verify hash values after acquiring.

Paladin starts to acquire images from this VM. Once done you could use forensics tools to analyze these evidence files. I bet 007 extract more evidence than 008 did.

Use LiveCD to acquire images from a VM的更多相关文章

  1. VirtualBox上使用kubeadm安装Kubernetes集群

    之前一直使用minikube练习,为了更贴近生产环境,使用VirtualBox搭建Kubernetes集群. 为了不是文章凌乱,把在搭建过程中遇到的问题及解决方法记在了另一篇文章:安装Kubernet ...

  2. PowerShell Script to Deploy Multiple VM on Azure in Parallel #azure #powershell

    Since I need to deploy, start, stop and remove many virtual machines created from a common image I c ...

  3. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  4. Extended VM Disk In VirtualBox or VMware (虚拟机磁盘扩容)

    First, Clean VM all snapshot, and poweroff your VM. vmdk: vmware-vdiskmanager -x 16GB myDisk.vmdk vd ...

  5. Hyper-V2:向VM增加虚拟硬盘

    使用Hyper-V创建VM,在VM成功安装OS之后,发现VM只有一个逻辑盘C,用于存储VM的操作系统.在产品环境中,需要向VM增加虚拟硬盘,便于将数据单独存储在不同的逻辑盘符中.在Hyper-V中,分 ...

  6. PMON failed to acquire latch, see PMON dump

    前几天,一台Oracle数据库(Oracle Database 10g Release 10.2.0.4.0 - 64bit Production)监控出现"PMON failed to a ...

  7. x01.os.23: 制作 linux LiveCD

    1.首先运行如下命令  sudo apt-get install wget bc build-essential gawk genisoimage 2.下载如下资源,make all 即可 http: ...

  8. myeclipse 无法启动 java.lang.IllegalStateException: Unable to acquire application service. Ensure that the org.eclipse.core.runtime bundle is resolved and started (see config.ini).

    把myeclipse10 按照目录完整拷贝到了另外一台电脑, 另外的目录 原安装目录 D\:\soft\i\myeclipse10 新安装目录 E\:\soft\myeclipse10 双击启动失败, ...

  9. ORA-00054: resource busy and acquire with NOWAIT specified

    删除表时遇到 ORA-00054:资源正忙,要求指定NOWAIT 错误.以前在灾备中心遇到过. 资源被锁定了,没有办法删除. 报错日志:ORA-00054: resource busy and acq ...

随机推荐

  1. mysql超时机制

    mysql每次建立一个socket连接(connect)时,这个socket都会占用一定内存.即使你关闭(close)连接时,并不是真正的关闭,而是处于睡眠(sleep)状态. 当你下次再进行连接时, ...

  2. Linux(CentOS6.5)下编译安装Nginx官方最新稳定版(nginx-1.10.0)

    注:此文已经更新为新版:http://comexchan.cnblogs.com/p/5815753.html ,请直接查看新版,谢谢! 本文地址http://comexchan.cnblogs.co ...

  3. jquery提供的插件无法删除cookie的解决办法

    之前使用jquery的cookie插件提供的 $.cookie("key",null)方法删除cookie,结果发现代码中的cookie一直无法删除,导致后面的种种问题. 经过各种 ...

  4. WebSocket协议:5分钟从入门到精通

    一.内容概览 WebSocket的出现,使得浏览器具备了实时双向通信的能力.本文由浅入深,介绍了WebSocket如何建立连接.交换数据的细节,以及数据帧的格式.此外,还简要介绍了针对WebSocke ...

  5. jamup与gb2i组合

    软件一定要开嗓单效果器,最好不要关闭中断软件/声音,每次有重新检测电流必须会有嗓音,最好用ipad ,不然会烦死人.默认delay太长,在DLY面板修改 gb2i 效果还行,他的价值重在使用,让新人使 ...

  6. Python列表操作

    自带帮助文档: >>> help(list) Help on class list in module builtins: class list(object) | list() - ...

  7. windows c++ 错误汇总

    1.fatal error C1900 错误:fatal error C1900: “P1”(第“20081201”版)和“P2”(第“20080116”版)之间 Il 不匹配 检查之后发现jepgl ...

  8. Python Tkinter模块 Grid(grid)布局管理器参数详解

    在使用Tkinter模块编写图像界面时,经常用到pack()和grid()进行布局管理,pack()参数较少,使用方便,是最简单的布局,但是当控件数量较多时,可能需要使用grid()进行布局(不要在同 ...

  9. Head First设计模式之工厂模式

    一.定义 定义了一个创建对象的接口, 但由子类决定要实例化的类是哪一个. 工厂方法让类把实例化推迟到子类 二.结构 1.抽象工厂角色:这是工厂方法模式的核心,它与应用程序无关.是具体工厂角色必须实现的 ...

  10. 基于IndexedDB实现简单文件系统

    现在的indexedDB已经有几个成熟的库了,比如西面这几个,任何一个都是非常出色的. 用别人的东西好处是上手快,看文档就好,要是文档不太好,那就有点尴尬了. dexie.js :A Minimali ...