Difference between pages "Windows Registry XML" and "Virtual machine"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
Microsoft's .reg format for representing MS Registry entries has many limitations, such as the inability to represent where registry information physically resides on the disk and the difficulty in representing Unicode. As a result, a variety of approaches have been implemented. Currently DFXML uses the [[RegXML]] standard to represent Registry entries.
+
= Creating a VM instance file from a forensic image =
  
==See Also==
+
There are a number of ways to convert forensic image to a VM instance.  At present, this article provides a series of tools that can convert images to VMDK files.
There are several open source programs that use XML to represent the Windows Registry:
+
 +
== Creating a VMDK file from a forensic image ==
  
* [[registryasxml]] is a Windows GUI program that exports and imports section of the Windows Registry as XML-foramtted files.
+
=== Linux tools as included in SIFT ===
* [[RegXML]] is also a Windows command-line utility that exports sections of the Windows Registry as XML-formatted files.
+
* [[hivexml]] is a command-line utility that is part of Red Hat's [http://libguestfs.org/ libguestfs] that  converts Registry hives to XML.
+
* [http://www.nsrl.nist.gov/Documents/aafs2008/dw-1-AAFS-2008-wired.pdf Tracking Computer Use with the Windows® Registry Dataset], Doug White, NIST.
+
* [http://www.nsrl.nist.gov/WIRED/WIRED-060511.iso The complete set of code and and a WiReD XML difference set for steganographic applications].
+
  
 +
Via the SIFT workstation (free), use the following steps:
  
There is one commercial program that we have found:
+
1.open a terminal window
* [http://www.componentsource.com/products/componentspace-registry-toolkit-component/prices.html ComponentSource] has a $195 .NET too that allows management, importing and exporting of the registry via XML.
+
2.type in sudo su
 +
3.type mkdir /mnt/ewf1
 +
4.type mount_ewf.py (Encase Image file path) /mnt/ewf1
 +
5.type in qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk
  
 +
=== Paladin 4 ===
  
[[Category:Digital Forensics XML]]
+
- Paladin 4 (free) can convert DD and E01 images to VDMK as well.
 +
 
 +
=== Live View ===
 +
 
 +
[http://liveview.sourceforge.net/ Live View] (opensource) is reported as not reliable, but it does work with some images.
 +
 
 +
=== EnCase ===
 +
 
 +
use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk.  Guidance software has a good guide on how to do this in their support portal. 
 +
 
 +
Note – EnCase v7 hasn't been proven to support this, just EnCase 6
 +
 
 +
=== VFC - Virtual Forensic Computing ===
 +
 
 +
VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.
 +
 
 +
 
 +
= Using the VMDK file =
 +
 
 +
Once you have the VMDK file, you can create a virtual machine in
 +
Virtualbox or VMware Workstation and use the VMDK as an existing hard
 +
disk for the virtual machine. I prefer to use VMware Workstation
 +
because it has a non persistent mode which allows you to write changes
 +
to a cache file rather than the forensic image itself thus maintaining
 +
integrity.
 +
 
 +
= External Links =
 +
* [http://www.myfixlog.com/fix.php?fid=35 How to Create a Virtual Machine from a Raw Hard Drive Image]

Revision as of 09:29, 19 June 2013

Creating a VM instance file from a forensic image

There are a number of ways to convert forensic image to a VM instance. At present, this article provides a series of tools that can convert images to VMDK files.

Creating a VMDK file from a forensic image

Linux tools as included in SIFT

Via the SIFT workstation (free), use the following steps:

1.open a terminal window
2.type in sudo su
3.type mkdir /mnt/ewf1
4.type mount_ewf.py (Encase Image file path) /mnt/ewf1
5.type in qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk

Paladin 4

- Paladin 4 (free) can convert DD and E01 images to VDMK as well.

Live View

Live View (opensource) is reported as not reliable, but it does work with some images.

EnCase

use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk. Guidance software has a good guide on how to do this in their support portal.

Note – EnCase v7 hasn't been proven to support this, just EnCase 6

VFC - Virtual Forensic Computing

VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.


Using the VMDK file

Once you have the VMDK file, you can create a virtual machine in Virtualbox or VMware Workstation and use the VMDK as an existing hard disk for the virtual machine. I prefer to use VMware Workstation because it has a non persistent mode which allows you to write changes to a cache file rather than the forensic image itself thus maintaining integrity.

External Links