Forensic examiners usually acquire images from suspect’s PC or Laptop. What if the target computer is not a physical PC/Laptop/Server? Let’s say the target computer is one of the VMs on a server, what will you to acquire this VM?

Forensic guy 008 says that he will power off this VM and use EnCase or FTK to directly analyze those vmdk files. Yes EnCase/FTK could add vmdk file as evidence, but only few things found after processing. 008 couldn’t help wondering that EnCase/FTK could “see” everything inside those vmdk files or not?

Forensic guy 007 decides to use forensic sound bootable LiveCD to acquire this VM。First he changes the boot order in BIOS setting of that VM to make sure“CD-ROM Drive”the first priority.

When powering on 007 could see the menu of Sumuri Paladin LiveCD, all he has to do is enter “Forensics Mode”.

007 uses Paladin toolbox to acquire this VM and the image type is EWF(E01). He also inputs some image details such as case number、evidence number、examiner name, etc.

By the way do not forget to verify hash values after acquiring.

Paladin starts to acquire images from this VM. Once done you could use forensics tools to analyze these evidence files. I bet 007 extract more evidence than 008 did.

Use LiveCD to acquire images from a VM的更多相关文章

  1. VirtualBox上使用kubeadm安装Kubernetes集群

    之前一直使用minikube练习,为了更贴近生产环境,使用VirtualBox搭建Kubernetes集群. 为了不是文章凌乱,把在搭建过程中遇到的问题及解决方法记在了另一篇文章:安装Kubernet ...

  2. PowerShell Script to Deploy Multiple VM on Azure in Parallel #azure #powershell

    Since I need to deploy, start, stop and remove many virtual machines created from a common image I c ...

  3. Linux VM acquisition

    The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descr ...

  4. Extended VM Disk In VirtualBox or VMware (虚拟机磁盘扩容)

    First, Clean VM all snapshot, and poweroff your VM. vmdk: vmware-vdiskmanager -x 16GB myDisk.vmdk vd ...

  5. Hyper-V2:向VM增加虚拟硬盘

    使用Hyper-V创建VM,在VM成功安装OS之后,发现VM只有一个逻辑盘C,用于存储VM的操作系统.在产品环境中,需要向VM增加虚拟硬盘,便于将数据单独存储在不同的逻辑盘符中.在Hyper-V中,分 ...

  6. PMON failed to acquire latch, see PMON dump

    前几天,一台Oracle数据库(Oracle Database 10g Release 10.2.0.4.0 - 64bit Production)监控出现"PMON failed to a ...

  7. x01.os.23: 制作 linux LiveCD

    1.首先运行如下命令  sudo apt-get install wget bc build-essential gawk genisoimage 2.下载如下资源,make all 即可 http: ...

  8. myeclipse 无法启动 java.lang.IllegalStateException: Unable to acquire application service. Ensure that the org.eclipse.core.runtime bundle is resolved and started (see config.ini).

    把myeclipse10 按照目录完整拷贝到了另外一台电脑, 另外的目录 原安装目录 D\:\soft\i\myeclipse10 新安装目录 E\:\soft\myeclipse10 双击启动失败, ...

  9. ORA-00054: resource busy and acquire with NOWAIT specified

    删除表时遇到 ORA-00054:资源正忙,要求指定NOWAIT 错误.以前在灾备中心遇到过. 资源被锁定了,没有办法删除. 报错日志:ORA-00054: resource busy and acq ...

随机推荐

  1. 30分钟入门Java

    技术只是工具,文档只是说明书,仅此而已. 写在前面 工作4年有余,盲人摸象般的走过弯路,也投机取巧的领悟到过一些类似"编程本质"的东西.现在开始我计划回顾下我的编程生涯.在这里分享 ...

  2. Linux(CentOS6.5)下Nginx注册系统服务(启动、停止、重启、重载等)&设置开机自启

    本文地址http://comexchan.cnblogs.com/ ,作者Comex Chan,尊重知识产权,转载请注明出处,谢谢! 完成了Nginx的编译安装后,仅仅是能支持Nginx最基本的功能, ...

  3. 随便说说 post-processing

    九月份一篇博都没更新,这段时间一直在unity的坑里爬不起来,感觉真的很绝望啊,仿佛对生活都失去了信心. 渲染问题并没有解决,目前方案只是减轻视觉冲突,降低违和感.项目AR产品也做的越来越艰难,开始经 ...

  4. [编织消息框架][传输协议]sctp

    OSI(Open System Interconnect),即开放式系统互联. 一般都叫OSI参考模型,是ISO(国际标准化组织)组织在1985年研究的网络互联模型. 该体系结构标准定义了网络互连的七 ...

  5. C++ qsort

    使用qsort 需要包含头文件#include<algorithm> 例子: class Wooden{ public: int weight; int length; bool flag ...

  6. arm-linux-objdump反汇编使用指南

    一.   arm-linux-objdump常用来显示二进制文件信息,常用来查看反汇编代码 二.   常用选项: 1.-b bfdname 指定目标码格式 2.-disassemble或者-d 反汇编 ...

  7. thinkinginjava学习笔记08_接口

    抽象类和抽象方法 抽象方法是指没有具体实现的方法,仅仅有方法的声明和没有方法体:使用abstract关键字定义一个抽象方法:包含抽象方法的类成为抽象类,如果一个类中包含抽象方法则必须使用abstrac ...

  8. thinkinginjava学习笔记02_对象

    对象 1. 对象通过一个引用来操作,但是java中的对象是按值传递的,基本上可以在操作中认为对象本身,在内部结构中仍然要记得是对象实体的引用:如:String s = "abcd" ...

  9. Selectize使用总结

    一.简介 Selectize是一个可扩展的基于jQuery 的自定义下拉框的UI控件.它对展示标签.联系人列表.国家选择器等比较有用.它的大小在~ 7kb(gzip压缩)左右.提供一个可靠且体验良好的 ...

  10. MySQL 配置文件my.cnf

    转载: MySQL配置文件my.cnf 详解:#BEGIN CONFIG INFO#DESCR: 4GB RAM, 只使用InnoDB, ACID, 少量的连接, 队列负载大#TYPE: SYSTEM ...