Once we have acquired an image of a drive, the next step is to analyze it. While there are many different ways to analyze a drive, one possible method is to build a virtual machine from the image (assuming it has a bootable OS.) We can then boot the VM and investigate it as a working computer. We will not be able to perform a complete analysis using this method (as we won't see things like deleted data,) but this may be a good place to start. In this module we discuss how to convert a raw image file into a vmdk file (the hard disk file format used by VMWare,) using the "qemu-img" tool. We also discuss the "cat" tool. Both of these are Linux command line based tools. We also discuss how to build a new virtual machine and provide it with our converted vmdk file.

The "NIST Hacking Case" is a great publicly available Forensics challenge to work on. To complete it NIST provides a dd image of a disk, split into eight parts. Use what you learned in this module to combine all the image files into one complete image file. Then build and boot a VM from the dd image. The "NIST Hacking Case" is available here: https://sites.google.com/a/isis.poly.edu/cyfor/modules/nist-hacking-case After completing this challenge I strongly encourage you to work your way through the entire "NIST Hacking Case."

Further information on this module can be found at the following links.


You must Sign-In to post a comment.