Booting an image as a

forensically-sound VM in

VirtualBox

Brent Muir

Virtual Machine: Forensics

Forensically-sound means that all steps are repeatable &

source data is not modified

VM allows for dynamic forensic analysis (e.g. some

password recovery, NirSoft tools can be used)

VM can be used to show exactly what the user saw

This method is based on the research by Jimmy Weg

(http://justaskweg.com)

VirtualBox All Open Source / freeware tools:

VirtualBox (v 4.2x)

FTK Imager (v 3.x)

Nordahl-Hagen NT Password Reset Boot CD (for blanking SAM

passwords)

OpenGates (for hardware/driver issues)

STEP 1

MOUNTING YOUR IMAGE Using FTK Imager mount your suspect’s image as a physical

disk (note which physical disk number it is allocated)

STEP 2

CREATE & MODIFY A VM To use VirtualBox you must create a blank .VMDK

Open CMD and navigate to the VirtualBox program folder (C:\Program Files\Oracle\VirtualBox\)

Use the following command to create a VMDK file pointing to the physical disk of the mounted HD image:

VBoxManage internalcommands createrawvmdk -filename “path_to_wherever_you_want_to_store.vmdk" -rawdisk \\.\PhysicalDriveX

X – being the physical drive number of the mounted image

STEP 2

CREATE & MODIFY A VM Once the VMDK file has been created open VirtualBox and

create a new VM based on the suspect’s machine

Choose the same OS that was installed on the suspect’s

machine

STEP 2

CREATE & MODIFY A VM Point to the newly created VMDK as the virtual HD

STEP 2

CREATE & MODIFY A VM Remove the NIC

STEP 2

CREATE & MODIFY A VM Close the Settings window

Click on “Start” and straight away in the VM console window

click on Machine Take Snapshot

Power off the VM (it won’t boot properly anyway as the

physical drive is write-blocked)

STEP 2

CREATE & MODIFY A VM Go back into settings and highlight the Storage options

Remove the newly created VMDK file as the option and add

the snapshot VMDK file instead

(C:\Users\user_account\VirtualBox VMs\...\Snapshots\)

STEP 3

BLANKING SAM PASSWORDS In Settings menu add the NORDAHL-HAGEN boot ISO as a

CD image

STEP 3

BLANKING SAM PASSWORDS Start the VM

Choose to boot from CD

Follow the command prompts to blank the desired

password/s and reboot the VM

STEP 4

BOOTING YOUR VM You should now be able to boot the image as a VM

Ensure that you still have the image mounted under FTK

Imager as the same Physical Disk number

Essentially what you have done is created a VMDK reference

file which points to the Physical Disk and blanked the SAM

passwords from the HD (or in this case the snapshot of the

system OS)

OpenGates Windows OSes often complain about hardware and system

changes in relation to licensing/activation

can result in an inaccessible VM

OpenGates allows you to:

Patch the registry in order to enable legacy IDE drivers

Remove drivers that could conflict with the new hardware

Determine used HAL

If you encounter this issue start VM with OpenGates ISO as

first boot option and follow the prompts

REFERENCES Nordahl-Hagen NT Password Reset Boot CD -

http://pogostick.net/~pnh/ntpasswd/

NTPWEDIT - http://cdslow.webhost.ru/ntpwedit/

OpenGates - https://www.pinguin.lu/index.php

VirtualBox - http://www.virtualbox.org

Weg, J. http://justaskweg.com/