SlideShare a Scribd company logo

How to boot a VM form a Forensic Image

Krešimir Hausknecht, profile picture
Krešimir Hausknecht

This document provides instructions for booting a virtual machine from a forensic image using VirtualBox and FTK Imager. It involves mounting the forensic image using FTK Imager to access it as a physical drive, creating a virtual disk file pointing to the mounted image, and configuring a new virtual machine in VirtualBox to use the virtual disk file. The process allows examining the forensic image content in a virtual machine but may corrupt the original evidence. Issues like startup repair errors can be fixed by deleting the VirtualBox user folder and repeating the procedure.

Technology
1 of 12
1
2
3
4
5
6
Most read
7
8
Most read
9
10
11
12
Most read
How to boot a VM from a Forensic Image Krešimir Hausknecht, M.Sci.
PLEASE BE CAREFULL! This process will probably change your original evidence so please make sure that it is being done on a copy!! 2
VirtualBox & FTK Imager Install: 1. FTK Imager 2. VirtualBox • https://www.virtualbox.org/wiki/Downloads - VirtualBox 5.0.20 for Windows hosts x86/amd64 3
1. FTK Imager 1. File → Image Mounting 2. Select E01 image you want to mount 4
1. FTK Imager 3. Mount type: physical only 4. Mount method: block device/writeable 5. Write cache folder: C:tempVBox_cache • Choose a preferred destination cache folder 6. Mount – you will see which physical drive the image is mapped to • Note the Physical drive number, we’ll need that later… 5
6
2. Create a new folder For storing the virtual disk file later Eg. C:tempVbox_temp 7
3. Command prompt Run as administrator!! cd c:Program FilesOracleVirtualBox vboxmanage internalcommands createrawvmdk -filename C:tempVbox_tempimage.vmdk -rawdisk .physicaldriveX Replace the path, file name and physical drive accordingly 8
4. VirtualBox Run as administrator! Creating a new virtual machine: • Name: image • Type: Microsoft Windows • Version: <Select accordingly> • Memory size: 2GB RAM • Hard disk: use an existing virtual hard disk file → image.vmdk • File we created in the step before • START the machine • Cross you fingers! 9
10
Issues When dismounted and mounted again – doesn’t work! • Windows Error Recovery (Launch startup repair or start windows normally) • Delete the following folder: • C:Usersuser.VirtualBox • Repeat the procedure It will not always work  11
Questions Kresimir.hausknecht@insig2.eu https://hr.linkedin.com/in/kresimirhausknecht

More Related Content

PDF
Booting an image as a forensically sound vm in virtual box
Brent Muir
 
PDF
File System Implementation - Part1
Amir Payberah
 
PDF
Big Data: SQL on Hadoop from IBM
Cynthia Saracco
 
DOCX
How to configure flexible netflow export on cisco routers
IT Tech
 
PPT
Case study windows
Padam Banthia
 
PPTX
Window architecture
IGZ Software house
 
PPT
Linux Kernel Image
艾鍗科技
 
PPTX
Tabla comparativa de los sistemas operativos
Carlos Eduardo Roa Lalo
 
Booting an image as a forensically sound vm in virtual box
Brent Muir
 
File System Implementation - Part1
Amir Payberah
 
Big Data: SQL on Hadoop from IBM
Cynthia Saracco
 
How to configure flexible netflow export on cisco routers
IT Tech
 
Case study windows
Padam Banthia
 
Window architecture
IGZ Software house
 
Linux Kernel Image
艾鍗科技
 
Tabla comparativa de los sistemas operativos
Carlos Eduardo Roa Lalo
 

What's hot (20)

PDF
Linux Porting to a Custom Board
Patrick Bellasi
 
PPTX
file system in operating system
tittuajay
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
PDF
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
PPT
Windows Server 2008 R2 Overview
Alexander Schek
 
PDF
Bootloaders
Anil Kumar Pugalia
 
PDF
File system is full - what do i do
Nizar Fanany
 
PPT
Byte code jvm
myrajendra
 
PDF
Implementing role based access control on Web Application (sample case)
Deny Prasetia
 
PDF
5 p9 pnor and open bmc overview - final
Yutaka Kawai
 
PPTX
File system.
elyza12
 
PDF
Entendiendo el .NET Framework
Sorey García
 
PDF
LCU14 302- How to port OP-TEE to another platform
Linaro
 
ODP
File system hiearchy
sritolia
 
PDF
Mapa Mental Comandos Unix E Linux
Richar Por
 
PPTX
Introduction to HDFS
Bhavesh Padharia
 
PDF
Unix commands
selvamanisampath
 
PDF
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
PDF
File System Hierarchy
sritolia
 
PDF
SFO15-200: Linux kernel generic TEE driver
Linaro
 
Linux Porting to a Custom Board
Patrick Bellasi
 
file system in operating system
tittuajay
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
Windows Server 2008 R2 Overview
Alexander Schek
 
Bootloaders
Anil Kumar Pugalia
 
File system is full - what do i do
Nizar Fanany
 
Byte code jvm
myrajendra
 
Implementing role based access control on Web Application (sample case)
Deny Prasetia
 
5 p9 pnor and open bmc overview - final
Yutaka Kawai
 
File system.
elyza12
 
Entendiendo el .NET Framework
Sorey García
 
LCU14 302- How to port OP-TEE to another platform
Linaro
 
File system hiearchy
sritolia
 
Mapa Mental Comandos Unix E Linux
Richar Por
 
Introduction to HDFS
Bhavesh Padharia
 
Unix commands
selvamanisampath
 
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
File System Hierarchy
sritolia
 
SFO15-200: Linux kernel generic TEE driver
Linaro
 
Ad

Viewers also liked (10)

PDF
File000150
Desmond Devendran
 
PPTX
мобільні операційні системи [автосохраненный]
Vlad Onyk
 
PPTX
мобільні операційні системи [автосохраненный]
Vlad Onyk
 
PPT
Mac Forensics
CTIN
 
PPTX
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
PPT
Linux forensics
Santosh Khadsare
 
PDF
Windows 8.x Forensics 1.0
Brent Muir
 
PPT
WhatsApp Forensic
Animesh Shaw
 
PPTX
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
PPTX
Types of Irrigation
Pranamesh Chakraborty
 
File000150
Desmond Devendran
 
мобільні операційні системи [автосохраненный]
Vlad Onyk
 
мобільні операційні системи [автосохраненный]
Vlad Onyk
 
Mac Forensics
CTIN
 
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
Linux forensics
Santosh Khadsare
 
Windows 8.x Forensics 1.0
Brent Muir
 
WhatsApp Forensic
Animesh Shaw
 
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Types of Irrigation
Pranamesh Chakraborty
 
Ad

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
KodekX | Application Modernization Development
KodekX
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Teaching material agriculture food technology
LiaRayya
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

How to boot a VM form a Forensic Image

  • 1. How to boot a VM from a Forensic Image Krešimir Hausknecht, M.Sci.
  • 2. PLEASE BE CAREFULL! This process will probably change your original evidence so please make sure that it is being done on a copy!! 2
  • 3. VirtualBox & FTK Imager Install: 1. FTK Imager 2. VirtualBox • https://www.virtualbox.org/wiki/Downloads - VirtualBox 5.0.20 for Windows hosts x86/amd64 3
  • 4. 1. FTK Imager 1. File → Image Mounting 2. Select E01 image you want to mount 4
  • 5. 1. FTK Imager 3. Mount type: physical only 4. Mount method: block device/writeable 5. Write cache folder: C:tempVBox_cache • Choose a preferred destination cache folder 6. Mount – you will see which physical drive the image is mapped to • Note the Physical drive number, we’ll need that later… 5
  • 6. 6
  • 7. 2. Create a new folder For storing the virtual disk file later Eg. C:tempVbox_temp 7
  • 8. 3. Command prompt Run as administrator!! cd c:Program FilesOracleVirtualBox vboxmanage internalcommands createrawvmdk -filename C:tempVbox_tempimage.vmdk -rawdisk .physicaldriveX Replace the path, file name and physical drive accordingly 8
  • 9. 4. VirtualBox Run as administrator! Creating a new virtual machine: • Name: image • Type: Microsoft Windows • Version: <Select accordingly> • Memory size: 2GB RAM • Hard disk: use an existing virtual hard disk file → image.vmdk • File we created in the step before • START the machine • Cross you fingers! 9
  • 10. 10
  • 11. Issues When dismounted and mounted again – doesn’t work! • Windows Error Recovery (Launch startup repair or start windows normally) • Delete the following folder: • C:Usersuser.VirtualBox • Repeat the procedure It will not always work  11