Announcement

Collapse
No announcement yet.

Bootable Evidence Image?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bootable Evidence Image?

    1) To make the image "bootable", should i create the COMPLETE drive ( including ALL partitions)?
    2) If yes, how can i make the image bootable, but with "read only"-access?

    (I use Oracle VM VirtualBox)

    tia
    Last edited by Marius; May-18-2012, 06:54 PM.

  • #2
    Well you would need to make sure the disk is bootable to start with, and that it isn't just a secondary data drive.

    Then you would want to make sure the drive isn't part of a RAID set, and you only image one of the drives that make up the set.

    After than, you have the choice of imaging partitions on the drive or the entire physical drive.

    But to have any hope of booting the drive image you need to image more than just a partition, as you need the MBR and partition table which are outside of the partition itself.

    You can use VBoxMange convertfromfaw to convert a raw 'dd' image (as created by OSF or OSFClone)

    But you still might run into Windows activation problem, or problems that the Windows kernel was the wrong version. More details are here,
    https://www.virtualbox.org/wiki/Migrate_Windows

    Of course you can use OSF to mount and investigate a disk image and copy files off it without actually booting it. It is also much easy to keep it read only as well if you just mount it rather than boot it.

    Comment


    • #3
      Thanks David...I was just curios as Encase's images can be booted directly ( so i have heard) via a virtual drive without any long and tedious procedures. Another reason for my question is, i would like to make TWO images....One to work on, and ALSO be able to boot, and the other one as my MASTER...that doesnt get altered. The MASTER then get MD5-hashed as evidence...It's always easier if the image can boot, and then just show the customer the "basic" way of what you as an investigator is actually trying to do. Not only that, but by "booting" the image, its also easier to "UN-secure" some folders that might have been set to "disallow" me from entering them (Permission settings)...this i'll do on my "dummy"-image...So am i correct when saying, to accomplish my task of "booting" the image, i must make a COMPLETE image including all the partitions? ( i think that's where i slipped up). I just found OSForensics ( as a freeware) a couple of days ago...so I'm still experimenting with it, lol

      PS: somewhere on the net i read that encase CAN be booted ( the image) in READ ONLY mode...thereby eliminating the risk of change ( same as a PE-disk running from your CD-Drive)

      I have used this program via mounting and it works 100%...i was just trying to take it one step further to be able to boot it as well....that's all
      Last edited by Marius; May-19-2012, 06:09 AM.

      Comment


      • #4
        Encase format is effectively just a compressed 'dd' format. An Encase image if anything is less useful than a raw 'dd' image. Raw 'dd' image are nice because pretty much any tool will deal with them. Regardless of the image format, you can still have the same problems, like Windows activation (and missing login passwords) when booting.

        OSF can directly read the image (dd or EnCase E01) and bypass file system permissions. So there is no need to boot the image to get around folder permissions.

        Various VM tools allow changes to the image be tracked and rolled back. So in that sense it should be possible to keep the image unchanged with the right settings in your VM.

        Comment


        • #5
          Originally posted by David (PassMark) View Post
          Encase format is effectively just a compressed 'dd' format. An Encase image if anything is less useful than a raw 'dd' image. Raw 'dd' image are nice because pretty much any tool will deal with them. Regardless of the image format, you can still have the same problems, like Windows activation (and missing login passwords) when booting.

          OSF can directly read the image (dd or EnCase E01) and bypass file system permissions. So there is no need to boot the image to get around folder permissions.

          Various VM tools allow changes to the image be tracked and rolled back. So in that sense it should be possible to keep the image unchanged with the right settings in your VM.
          Thanks David...Just a last question if i may...What is the best way to create a "Partition" image of a disk...WITH shadow copy, or WITHOUT shadow copy? ( i need to have the COMPLETE partition including all slack space...)
          Last edited by Marius; May-21-2012, 08:16 PM.

          Comment

          Working...
          X