Dynamic Interaction Analysis of Forensics Images Using Completely Free Tools

A couple years, ago, when I was first introduced to forensics, I found it overwhelming to dig through static configuration files (Windows registry) when looking for data and over time, I failed to keep track of key registry locations I would need to exam.  I was lucky enough to have FTK available and items like the Registry Quick Find Guide was extremely helpful.  Today, went out looking for this, and can no longer locate it on Access Data’s site.  While FTK was extremely powerful, there are times were you want to interact with the system, for example, when doing dynamic analysis of a possibly compromised system.  I came across VFC @ http://www.virtualforensiccomputing.com/vfc-faq.php, but simply couldn’t afford this.  From the home lab perspective, I wanted a zero or no-cost solution for analyzing full raw (dd) images.

Zero Cost Solution:

·         VMware Player

·         FTK Imager

I’m going to assume you already have a RAW format image.  You could have used FTK, but that’s not important.  We’re going to use FTK Imager for the Disk Mounting utility.  What makes this awesome is the mounting the image as “Block Device /Writable”.  From the user guide:

“Allows you to write to the evidence, make notes, and so forth. the changes and

notations are saved in a cache file, but no changes are made to the original. If

selected, provide path information for the cache file in the Write Cache Folder field.”

Here’s the processing flow I use.

Start AccessData FTK Imager

Ø  File > Image Mounting

Ø  Select a dd file (raw)

Ø  Mount Type:  Physical & Logical

Ø  Drive Letter: Next Available

Ø  Mount Method: Block Device / Writable

** Don’t close FTK Imager**

**I assume you have used VMware and understand how to create/provision VMs.  Ideally, a custom .vmx file would be completely appropiate here.  Here, I’m assuming you know the basics.**

Create new VM.  Choose CPU and RAM.  Ideally, you should match what the physical machine had.  For the hard disk, just pick the defaults; we’re going to be deleting it and creating a new one anyway.  Once you’ve got your VM created, go back into the settings and let’s start by removing the Hard Disk and then adding a new one.

VMware Add Hardware Wizard

 Ø  Add Hard Disk

 Ø  Virtual Disk Type: IDE (adjust if you have issues)

 Ø  Select Disk : Use a physical disk, Usage: Use Individual Partitions

 Ø  Check all of the partitions listed

From there, fire up your VM.  Excessive disk paging and high CPU should be expected, especially during first launch while Windows loads/installs drivers.  You can do anything you need to, and FTK will take care of it, leaving the image intact.

Of course, with VMware Professional, you have more robust options.  This is how to do it on the super cheap!