 |
| Author | Post |
|---|
Gabrielelohim
Member
back to top
|
Posted: Wed Apr 30th, 2008 10:12 am | 1st Post |
|
to the administrator / moderator(s) of this site... granted i have only posted on this site two (2) times, however 695+ people have viewed my post(s) and no-one has replied...??? am i posing my questions in the "wrong area"???
as is inevitable, time and stubbornness usually answers ones questions for them lol 
the answer to my first question posed in post 1 was simple... BUY ANOTHER COMPUTER... i did and everything works perfectly now...
the answer to my second question posed in post 2 ended up being simple as well... (thank the godz that the password was a simple one =) had it been seven (7) characters or more using a combination of alpha numerics, and specials, i probably would not have been able to break the AES-256 bit encryption. as it was a brute force / xeive attack cracked the encryption in a little over 36 hours... (a side note to those of you that may want to try to get into the file, the zip file itself is corrupted, let alone the file inside being encrypted)
having said that lol, i have another computer forensic question for any gurus that may be lurking 
a few of the students in this program and i actually "stumped" the forensic expert(s) / lawyer(s) that run said program recently... the only answer we got from them was a "stumbling", "you did what???" that's really cool but i don't think it is "legally forensically sound"...
what we did was take the bit-stream ISO image from FTK imager, and use it to virtually recreate the target machine using VMware...
i understand their argument when they say if you even touch the virtual recreation you have compromised the "evidence"... and having done that any discovery will not stand up in a court of law...
but my point is this... the examiner / investigator can ALWAYS simply reset the virtual recreation of the target machine back to its original state, regardless of what they do with it...
given this fact, the virtually recreated target machine meets the scientific criteria of being able to REPRODUCE YOUR RESULTS...
having said this, wouldn't it be much simpler for the expert witness to explain to the "lay client or juror" that is not so tech savvy, what the suspect has done by pointing and clicking to where the "demonstrative evidence" resides, rather than trying to explain in layman's terms the intricacies of known forensic tools such as FTK or Encase???
all-right sorry for being so long winded... i guess what i'm asking is, is it possible to "image a virtual machine" so that the same SHA-1 and MD5 hash values found in the original image, are retuned from the image of the virtually recreated "target machine"???
peace,
GabrielelohimLast edited on Wed Apr 30th, 2008 10:58 am by Gabrielelohim
|
querist
Member
back to top
|
Posted: Fri Oct 3rd, 2008 02:36 pm | 2nd Post |
|
I would suggest imaging the device containing the virtual machine's files, such as the .vmx and related files if you're using VMWare. Then, you can run the virtual machine from non-writable media (e.g. CDROM or DVDROM) if it will fit, or if not, you can use a write-blocked firewire or USB connector to connect the external drive to the machine that will host the virtual machine.
That way, you can demonstrate (within reason) that you took precautions to prevent alteration of the virtual machine.
As always, compute hash values, and if possible, confiscate the original drives and handle them as standard evidence (chain of custody, etc). Once you make your copies, lock the original up in a safe place, ideally somewhere where you cannot get to it without leaving a trail (again, chain of custody).
|
Current time is 05:56 am | |
|
|
|
|
