Difference between pages "Linux Repositories" and "VMWare from hard drive images"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Imaging Tools)
 
m (added result picture)
 
Line 1: Line 1:
 +
[[Category:Howtos]]
  
There are a number of linux distributions.
+
== Creating virtual machines from forensic images ==
  
In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.
+
After having no success with raw2vmdk, the Live View method has worked.
  
=Repository Setup=
+
[http://liveview.sourceforge.net/index.html Live View] requires:
==openSUSE==
+
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:
+
  
*security
+
-Java JRE
*devel:languages:perl
+
*devel:languages:python
+
  
This is most easily done from the command line via (assumes openSUSE 12.1):
+
-VMWare Workstation 5.5+ or Server
  
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/security/openSUSE_12.1</nowiki> security
+
-VMWare VDDK ([http://www.vmware.com/support/developer/vddk download])
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/perl</nowiki>/openSUSE_12.1 perl
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1</nowiki> python
+
+
zypper lr  <nowiki>          </nowiki>  # used to verify you have the repos installed
+
  
==fedora==
+
== Install ==
 +
Install prerequisites followed by Live View (the installer will check for pre-reqs).
  
[http://www.cert.org/forensics/tools/ CERT] maintains a fedora security repository with a large number of DFIR applicaitons.
+
''Tested: Win7-64 with VMWare Workstation 7.12, Live View 0.7b, and VMWare VDDK 5.0''
  
==debian==
 
  
You can search for debian packages at [http://packages.debian.org/search debian's search page]
+
[[File:LiveView.png]]
  
==ubuntu==
+
== VMX Creation ==
  
=Computer Forensic Tools=
+
1. Run Live View as Administrator. ''(Messages pane will result in errors otherwise)''
Below is a list of computer forensic tools. For each tool the repository it can be found in and the version in the repository is shown.
+
  
As an example, aimage is in the openSUSE security repository and it is version 3.2.5
+
2. Set memory and OS as closely as possible to target machine specs. ''(To maximize probability of success)''
  
==Imaging Tools==
+
3. Click "Start".  ''(The screenshot error relates to maximums exceeded based on client machine.)''
  
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
+
[[File:VMWareWorkstation.png]]
|-
+
|rowspan=1| '''Tool'''
+
|'''openSUSE'''
+
|'''fedora'''
+
|'''debian'''
+
|'''ubuntu'''
+
|'''comment'''
+
|'''General Remarks'''
+
 
+
|-
+
|rowspan=1| [http://www.e-fense.com/helix/ adepto]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|  <!-- comment -->
+
|adepto is included in the helix boot cd<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[aimage]]
+
|security/3.2.5 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|squeeze/3.2.4  <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create aff format images  <!-- comment -->
+
|aimage has been EOL'ed.  guymager or ftkimager (windows/mac) are recommended for creating aff images. <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[AIR]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|Automated Image and Restore  <!-- comment -->
+
|a GUI front-end to dd and dc3dd designed for easily creating forensic bit images <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[dc3dd]]
+
|security*/7.1.614 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|sid/7.1.614    <!-- debian-->
+
|?              <!-- ubuntu-->
+
|DoD Cyber Crime Center DD  <!-- comment -->
+
|This tool was formerly known as dcfldd.  When released as dc3dd it was totally rewritten. <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[ddrescue]]
+
|Base/1.14 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|squeeze/1.14 sid/1.23 <!-- debian-->
+
|?              <!-- ubuntu-->
+
|Also known as GNU ddrescue<!-- comment -->
+
|This tool is different than dd_rescue.
+
 
+
|-
+
|rowspan=1| [[dd_rescue]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|<!-- comment -->
+
|This tool is different than GNU ddrescue.
+
 
+
|-
+
|rowspan=1| [[libewf|ewfacquire]]
+
|security*/20100226 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|squeeze/20100226              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create ewf format images  <!-- comment -->
+
|ewfacquire is part of ewftools in some distributions.<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[IXimager]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A            <!-- debian-->
+
|?              <!-- ubuntu-->
+
|A law enforcement only imager<!-- comment -->
+
|used in conjunction with ILook Investigator
+
 
+
|-
+
|rowspan=1| [[LinEn]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a proprietary imaging tool to create ewf format images  <!-- comment -->
+
|included on the Helix boot CD<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[guymager]]
+
|N/A<!-- opensuse -->
+
|?              <!-- fedora-->
+
|Squeeze/0.4.2 Sid/0.5.9-3              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create aff format images  <!-- comment -->
+
|Guymager is an open source forensic imager. It focuses on user friendliness and high speed.  <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [http://sourceforge.net/projects/rdd rdd]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|2.0.7-2              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a dd-like tool, with forensic imaging features  <!-- comment -->
+
|Rdd is robust with respect to read errors<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [ftp://ftp.berlios.de/pub/sdd/ sdd]
+
|Archiving:Backup/1.52 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|lenny/1.52 deprecated              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a dd-like tool<!-- comment -->
+
|Designed to work well when IBS != OBS.  Working with tape is an example.<!-- General Remarks -->
+
 
+
|}
+
 
+
*package will appear in the base release with the next full distribution release.
+
 
+
==File Inventory Tools==
+
 
+
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
+
|-
+
|rowspan=1| '''Tool'''
+
|'''openSUSE'''
+
|'''fedora'''
+
|'''debian'''
+
|'''ubuntu'''
+
|'''comment'''
+
|'''General Remarks'''
+
 
+
|-
+
|rowspan=1| [[exiftool]]
+
|base/v8.65 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|squeeze/v8.15 sid/v8.60              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|  <!-- comment -->
+
|exiftool has superior metadata reporting capability -->
+
 
+
|-
+
|rowspan=1| [[fiwalk]]
+
|security*/v0.6.15 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|N/A              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|  <!-- comment -->
+
|fiwalk is a robust $MFT walker<!-- General Remarks -->
+
 
+
 
+
|}
+
 
+
*package will appear in the base release with the next full distribution release.
+

Latest revision as of 12:56, 23 March 2012


Creating virtual machines from forensic images

After having no success with raw2vmdk, the Live View method has worked.

Live View requires:

-Java JRE

-VMWare Workstation 5.5+ or Server

-VMWare VDDK (download)

Install

Install prerequisites followed by Live View (the installer will check for pre-reqs).

Tested: Win7-64 with VMWare Workstation 7.12, Live View 0.7b, and VMWare VDDK 5.0


LiveView.png

VMX Creation

1. Run Live View as Administrator. (Messages pane will result in errors otherwise)

2. Set memory and OS as closely as possible to target machine specs. (To maximize probability of success)

3. Click "Start". (The screenshot error relates to maximums exceeded based on client machine.)

VMWareWorkstation.png