Difference between pages "Virtual machine" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(From the linux command prompt)
 
(See Also)
 
Line 1: Line 1:
= Creating a VM instance file from a forensic image =
+
{{expand}}
  
There are a number of ways to convert forensic image to a VM instance.  At present, this article provides a series of tools that can convert images to VMDK files.
+
== Cache files ==
+
The cache is stored in multiple:
== Creating a VMDK file from a forensic image ==
+
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
=== Linux tools as included in SIFT ===
+
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
Via the SIFT workstation (free), use the following steps:
+
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
1.open a terminal window
+
==== Examples ====
2.sudo su
+
{| class="wikitable"
3.mkdir /mnt/ewf1
+
|-
4.mount_ewf.py (Encase Image file path) /mnt/ewf1
+
! Value
5.qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk
+
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
=== Paladin 4 ===
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
- Paladin 4 (free) can convert DD and E01 images to VDMK as well.
+
=== File header ===
 +
*TODO*
  
=== Live View ===
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
[http://liveview.sourceforge.net/ Live View] (opensource) is reported as not reliable, but it does work with some images.
+
=== File header ===
 +
*TODO*
  
=== EnCase ===
+
== Data stream ==
 +
See: [[gzip]]
  
use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk.  Guidance software has a good guide on how to do this in their support portal. 
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
Note – EnCase v7 hasn't been proven to support this, just EnCase 6
+
== External Links ==
  
=== VFC - Virtual Forensic Computing ===
+
[[Category:File Formats]]
 
+
VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.
+
 
+
== Creating a KVM image ==
+
 
+
=== From the linux command prompt ===
+
kvm -hda myimage.dd
+
 
+
memory can be set as an option, cd drives can be presented, etc., and there is an option equivalent to the VMware non persistent mode.
+
 
+
Warning: It has been determined that using kvm's non-persistent mode can still result in an altered image. Always, always, always work from a copy.
+
 
+
= Using the VMDK file =
+
 
+
Once you have the VMDK file, you can create a virtual machine in
+
Virtualbox or VMware Workstation and use the VMDK as an existing hard
+
disk for the virtual machine. I prefer to use VMware Workstation
+
because it has a non persistent mode which allows you to write changes
+
to a cache file rather than the forensic image itself thus maintaining
+
integrity.
+
 
+
= External Links =
+
* [http://www.myfixlog.com/fix.php?fid=35 How to Create a Virtual Machine from a Raw Hard Drive Image]
+

Revision as of 14:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links