Difference between pages "Virtual machine" and "GRR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Creating a VM instance file from a forensic image)
 
 
Line 1: Line 1:
= Creating a VM control file from a forensic image =
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
In general, VM software needs both an image and associated control files.
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
There are a number of ways to create the VM control files needed to run an image as a VM instance. At present, this article primarily provides a series of tools that can create to VMDK VM control files.
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
+
== Creating a VMDK file from a forensic image ==
+
  
=== Linux tools as included in SIFT ===
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
  
Via the SIFT workstation (free), use the following steps:
+
= See also =
 +
* [[rekall]]
  
1.open a terminal window
+
= External Links =
2.sudo su
+
* [https://code.google.com/p/grr/ Project site]
3.mkdir /mnt/ewf1
+
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
4.mount_ewf.py (Encase Image file path) /mnt/ewf1
+
* [http://grr.googlecode.com/git/docs/index.html Documentation]
5.qemu-img convert /mnt/ewf1/(encase image file name) -O vmdk (give_a_name).vmdk
+
  
=== Paladin 4 ===
+
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
  
- Paladin 4 (free) can convert DD and E01 images to VDMK as well.
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
=== Live View ===
+
== Workshops ==
 
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
[http://liveview.sourceforge.net/ Live View] (opensource) is reported as not reliable, but it does work with some images.
+
 
+
=== EnCase ===
+
 
+
use EnCase (Commercial) to mount the E01 image as an emulated disk (you need to have the Physical Disk Emulator (“PDE”) module installed), then VMware to create virtual machine from the emulated physical disk.  Guidance software has a good guide on how to do this in their support portal. 
+
 
+
Note – EnCase v7 hasn't been proven to support this, just EnCase 6
+
 
+
=== VFC - Virtual Forensic Computing ===
+
 
+
VFC (Commercial) is reportedly very good, but troubles with booting Windows 2003 servers have been reported. It's a little pricey ($1350 for a Corp license) but per one user it WORKS the vast majority of the time and the developer provides excellent support.
+
 
+
== Creating a KVM image ==
+
 
+
=== From the linux command prompt ===
+
kvm -hda myimage.dd
+
 
+
memory can be set as an option, cd drives can be presented, etc., and there is an option equivalent to the VMware non persistent mode.
+
 
+
Warning: It has been determined that using kvm's non-persistent mode can still result in an altered image. Always, always, always work from a copy.
+
 
+
= Using the VMDK file =
+
 
+
Once you have the VMDK file, you can create a virtual machine in
+
Virtualbox or VMware Workstation and use the VMDK as an existing hard
+
disk for the virtual machine. I prefer to use VMware Workstation
+
because it has a non persistent mode which allows you to write changes
+
to a cache file rather than the forensic image itself thus maintaining
+
integrity.
+
 
+
= External Links =
+
* [http://www.myfixlog.com/fix.php?fid=35 How to Create a Virtual Machine from a Raw Hard Drive Image]
+

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

See also

External Links

Publications

Presentations

Workshops