SANS Digital Forensics and Incident Response Blog

Give Your Forensic Images the Boot, Part I

At its worst, incident response in the past consisted of someone with a little bit of knowledge sitting down at the affected machine and poking around at its contents. Computer forensics has influenced the initial response, but you may still find quality information from taking a live look at a suspect machine. For instance, I have no idea where the settings are that effect how icons are arranged on the desktop. But by booting into the captured image, I get to look and feel how the user environment was actually set up.

Booting the image into a virtual environment has other advantages. First, you can interact with the computer in a more natural and familiar way. Second, you have new software tools at your disposal that are designed to be run on a live machine. Third, it may be possible that the only detection (or certainly quicker detection) of some malware will be on a running computer.

With free options to boot an image, this should be something that every examiner has at his or her disposal. One option is to use LiveView, LiveView does most of the work for you by creating the configuration files to launch your image in VMWare. During installation, it even prompts you to install the needed software that it uses. All changes to the image are redirected so that the integrity of the image is preserved. In conjunction with the VMWare Server, which is also free, LiveView is an increasingly useful tool.

Other options include using ProDiscover (a free version is available) to create your VMware configuration files or the commercially available Mount Image Pro and Virtual Forensic Computing to mount and boot your images.

One potential trap to booting into a live environment is an issue with Microsoft activation. Windows may detect a change in hardware and force new activation. Booting into safe mode may avoid this pitfall. Another option is to call Microsoft directly and explain the situation. Many Law Enforcement examiners have had good luck getting new activation keys.

Part II of this article will show the complete step by step process with screenshots of booting forensic images. If you have never booted your forensic image and don't want to wait, give it a try and see what advantages it gives you.

Matt Churchill, GCFA #3934, CFCE, CCE, CISSP


Posted December 14, 2008 at 11:19 PM | Permalink | Reply


There is one issue with LiveView free edition which I'm having trouble with. Say you do a complete dd of a partitioned hard disk drive. when you try to run it live using LiveView it just won't.. But say for example you just dd the boot partition and then run only that it will boot.. Anyone had the same problem?