Booting a forensic image as a Virtual Machine (VM) with freeware and open source tools (VirtualBox)

1. Booting an image as a
forensically-sound VM in
VirtualBox
Brent Muir

2. Virtual Machine: Forensics
 Forensically-sound means that all steps are repeatable &
source data is not modified
 VM allows for dynamic forensic analysis (e.g. some
password recovery, NirSoft tools can be used)
 VM can be used to show exactly what the user saw
 This method is based on the research by Jimmy Weg
(http://justaskweg.com)

3. VirtualBox
 All Open Source / freeware tools:
 VirtualBox (v 4.2x)
 FTK Imager (v 3.x)
 Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM
passwords)
 OpenGates (for hardware/driver issues)

4. STEP 1
MOUNTING YOUR IMAGE
 Using FTK Imager mount your suspect’s image as a physical
disk (note which physical disk number it is allocated)

5. STEP 2
CREATE & MODIFY A VM
 To use VirtualBox you must create a blank .VMDK
 Open CMD and navigate to the VirtualBox program folder
(C:Program FilesOracleVirtualBox)
 Use the following command to create a VMDK file pointing to the
physical disk of the mounted HD image:
VBoxManage internalcommands createrawvmdk -filename
“path_to_wherever_you_want_to_store.vmdk" -rawdisk
.PhysicalDriveX
X – being the physical drive number of the mounted image

6. STEP 2
CREATE & MODIFY A VM
 Once the VMDK file has been created open VirtualBox and
create a new VM based on the suspect’s machine
 Choose the same OS that was installed on the suspect’s
machine

7. STEP 2
CREATE & MODIFY A VM
 Point to the newly created VMDK as the virtual HD

8. STEP 2
CREATE & MODIFY A VM
 Remove the NIC

9. STEP 2
CREATE & MODIFY A VM
 Close the Settings window
 Click on “Start” and straight away in the VM console window
click on Machine  Take Snapshot
 Power off the VM (it won’t boot properly anyway as the
physical drive is write-blocked)

10. STEP 2
CREATE & MODIFY A VM
 Go back into settings and highlight the Storage options
 Remove the newly created VMDK file as the option and add
the snapshot VMDK file instead
(C:Usersuser_accountVirtualBox VMs...Snapshots)

11. STEP 3
BLANKING SAM PASSWORDS
 In Settings menu add the NORDAHL-HAGEN boot ISO as a
CD image

12. STEP 3
BLANKING SAM PASSWORDS
 Start the VM
 Choose to boot from CD
 Follow the command prompts to blank the desired
password/s and reboot the VM

13. STEP 4
BOOTING YOUR VM
 You should now be able to boot the image as a VM
 Ensure that you still have the image mounted under FTK
Imager as the same Physical Disk number
 Essentially what you have done is created a VMDK reference
file which points to the Physical Disk and blanked the SAM
passwords from the HD (or in this case the snapshot of the
system OS)

14. OpenGates
 Windows OSes often complain about hardware and system
changes in relation to licensing/activation
 can result in an inaccessible VM
 OpenGates allows you to:
 Patch the registry in order to enable legacy IDE drivers
 Remove drivers that could conflict with the new hardware
 Determine used HAL
 If you encounter this issue start VM with OpenGates ISO as
first boot option and follow the prompts

15. REFERENCES
 Nordahl-Hagen NT Password Reset Boot CD -
http://pogostick.net/~pnh/ntpasswd/
 NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/
 OpenGates - https://www.pinguin.lu/index.php
 VirtualBox - http://www.virtualbox.org
 Weg, J. http://justaskweg.com/