Welcome to my blog and first post! My aim is to provide tutorials that describe some of the things about which my colleagues have questions. I’m neither a seasoned blogger nor videographer, so please bear with me as I progress. I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish. Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly. As you’ll see, I have a plan for a few topics and will consider suggestions thereafter. I do, however, have a full time job that already extends beyond a “reasonable” workday, so pardon my delays in posting. The videos herein should be viewed in high-def, and you’re welcome to download them.
This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes. First, we’ll create a virtual machine from a single dd image file. In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html. We can create a target-system VM from a segmented image, but it takes more work to create our configuration file. We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk. First, I always take care to see that my image file is read only. Our image file is MyImage.001. There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment. I’m using VMware 8.x, but the steps are the same in 7.x.
I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes. The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.
Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name. Below is a screen shot of the contents of a Vista/Win7 vmdk file. The yellow-highlighted fields are the ones that you will edit. The first is the number of sectors on the physical disk. Next is the name of your image file. Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63. Then enter the number of cylinders by calculating /255/63. It’s 19458 in our example, and always round up to the next whole number and do not use commas. I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.
Here’s an editable copy of our vmdk file: MyImage.txt. Save the file as a text file and then change the extension to vmdk for actual use. It’s configured for VMware 8.x. If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu: