SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Using VMWare for Forensic Analysis

I have a lot of students ask me about different options for case management/forensic analysis tools besides commercial based products. As we know, VMWare Desktop is not free, you can download a free trial copy for 30 days and utilize the SIFT Workstation (for example). I also recommend the bootable Knoppix-like CDs for live analysis and contain case management as well. Here is a great tutorial from Forensic Focus on using VMWare as a forensic tool.

Tools:

  • VMWare and SANS Sift Workstation. The SANS SIFT Workstation is a VMware Appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite.
  • HELIX 2.0 (future version do have a cost associated with them). HELIX is a customized Knoppix CD distribution. With 2008R1 release, HELIX is now an Ubuntu-based live CD with a collection of incident response and forensic analysis software.
  • Knoppix-STD is a Linux-based Security Tool. Actually, it is a collection of hundreds if not thousands of open source security tools. It's a Live Linux Distro, which means it runs from a bootable CD in memory without changing the native operating system of the host computer. Its sole purpose in life is to put as many security tools at your disposal with as slick an interface as it can.

Good Reads:

Upcoming Events:

Digital Forensics Case Leads for 20100911 was compiled by Jennie DeLucia. Jennie is the Manager of IT GRC for Excellus Heath Plan. In addition she is a SANS Community 408/508 Instructor, an adjunct Professor at the Rochester Institute of Technology, as well as an independent computer forensic consultant.

2 Comments

Posted September 12, 2010 at 5:37 AM | Permalink | Reply

Nick Jenkins

Helix 3 is still downloadable for free. (Last I checked) But you cannot access the forums which is what the membership is for. Forum Support.

Posted September 13, 2010 at 4:52 AM | Permalink | Reply

Brett Shavers

There are two more resources of using virtual machines in forensics. The most comprehensive is a recently published book (Virtualization and Forensics, by Dianne Barrett) and a follow up I wrote to the link you mention (http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf).
Another resource for students (and anyone else'') is http://testimages.wordpress.com/. There is a list of forensic images to use for testing and practice, all free as well.