Difference between pages "Virtual machine" and "SANS"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Created page with "The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the wor...")
 
Line 1: Line 1:
= Creating a VM instance file from a forensic image =
+
The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
  
There are a number of ways to convert forensic image to a VM instance. At present, this article provides a series of tools that can convert images to VMDK files.
+
SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center.
+
== Creating a VMDK file from a forensic image ==
+
  
=== Linux tools as included in SIFT ===
+
Computer Security Training & Certification
  
Via the SIFT workstation (free), use the following steps:
+
SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats - the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.
  
1.open a terminal window
+
SANS training can be taken in a classroom setting from SANS-certified instructors, self-paced over the Internet, or in mentored settings in cities around the world. Each year, SANS programs educate more than 12,000 people in the US and internationally. To find the best teachers in each topic in the world, SANS runs a continuous competition for instructors. Last year more than 90 people tried out for the SANS faculty, but only five new people were selected.
2.type in sudo su
+
3.type mkdir /mnt/ewf1
+
4.type mount_ewf.py (Encase Image file path) /mnt/ewf1
+
5.type in qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk
+
  
=== Paladin 4 ===
+
SANS also offers a Work Study Program through which, in return for acting as an important extension of SANS' conference staff, facilitators may attend classes at a greatly reduced rate. Facilitators are most definitely expected to pull their weight and the educational rewards for their doing so are substantial.
 
+
- Paladin 4 (free) can convert DD and E01 images to VDMK as well.
+
 
+
=== Live View ===
+
 
+
[http://liveview.sourceforge.net/ Live View] (opensource) is reported as not reliable, but it does work with some images.
+
 
+
=== EnCase ===
+
 
+
use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk. Guidance software has a good guide on how to do this in their support portal. 
+
 
+
Note – EnCase v7 hasn't been proven to support this, just EnCase 6
+
 
+
=== VFC - Virtual Forensic Computing ===
+
 
+
VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.
+
 
+
 
+
= Using the VMDK file =
+
 
+
Once you have the VMDK file, you can create a virtual machine in
+
Virtualbox or VMware Workstation and use the VMDK as an existing hard
+
disk for the virtual machine. I prefer to use VMware Workstation
+
because it has a non persistent mode which allows you to write changes
+
to a cache file rather than the forensic image itself thus maintaining
+
integrity.
+
 
+
= External Links =
+
* [http://www.myfixlog.com/fix.php?fid=35 How to Create a Virtual Machine from a Raw Hard Drive Image]
+

Revision as of 18:32, 21 June 2013

The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center.

Computer Security Training & Certification

SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats - the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.

SANS training can be taken in a classroom setting from SANS-certified instructors, self-paced over the Internet, or in mentored settings in cities around the world. Each year, SANS programs educate more than 12,000 people in the US and internationally. To find the best teachers in each topic in the world, SANS runs a continuous competition for instructors. Last year more than 90 people tried out for the SANS faculty, but only five new people were selected.

SANS also offers a Work Study Program through which, in return for acting as an important extension of SANS' conference staff, facilitators may attend classes at a greatly reduced rate. Facilitators are most definitely expected to pull their weight and the educational rewards for their doing so are substantial.