VMWare Workstation for Research and Validation

In my previous post I talked about the use of virtualization technology and how it is beneficial in the world of digital forensics.  One of the ways that many utilize virtual workstations is for research and validation.

Two of the advantages of virtualization are the ability to revert the workstation to a clean state by utilizing snapshots as well as the ability to quickly examine a virtual workstation in a read only mode without having to acquire a clone of the workstation. Continue reading

Virtualization in Digital Forensics

I have a been a proponent of virtualization both from a personal standpoint but also a business standpoint. My journey into the world of digital forensics is no exception. I have read several articles and listened to multiple podcasts that talk about the advantages of using virtualization for not only the forensic workstation being utilized by an examiner but also for research, testing, and validation.

Forensic workstations, research, and validation are exactly what I am using virtual machines running in VMWare Workstation to accomplish. Continue reading

Cloning Drives with Bad Sectors

I picked up an old Toshiba 2.5″ 40Gb laptop hard drive to use for practice cloning and analyzing drives with some free or low-cost forensic tools.  After connecting the drive to the WiebeTech Forensic UltraDock I was quickly able to see that the drive had 5 bad sectors. I attempted to acquire the clone of the drive utilizing FTK Imager on two different occasions but after waiting for several hours on each attempt the clone would  “freeze” after approximately 24.7Gb of the image had been acquired. I then attempted to clone the drive utilizing dcfldd within the SIFT 3.0 workstation and received the same results. A little online research and I learned about ddrescue as an option for achieving a clone of a drive with bad sectors. Continue reading

WiebeTech Forensic UltraDock v5.5 and VMWare Workstation 12.5

I am currently running my forensic workstation as a virtual machine within VMware Workstation 12.5.  I chose to do this for multiple reasons, some of which include snapshots to roll back the workstation, ability to test different forensic tools, test OSs for the workstation (Windows vs Linux), etc. Not to mention the cost associated with VMWare Workstation compared to having several machines running different OSs as well as the portability of it all

So far this setup has worked well as test bed for the start of my expedition.  There have been a few performance hurdles but nothing that a little patience wouldn’t take care of.  However today I ran into an issue that, although I was able to overcome is disappointing to say the least. Continue reading

Digital Forensic Certifications

A multitude of certifications exist related to digital forensics, incident response, and security. The quest to obtain some of those certifications is one focus of this blog.

Deciding on the correct certifications can often be a daunting task.  Michael Leclair over at the Digital Forensic Survival Podcast published Episode 22 regarding some of the certifications available and which ones to look into further depending on your own personal area of focus.

One of the certifications that Michael talks about is the SANS GIAC Certified Forensic Examiner (GCFE).  Although there are pros and cons to all certifications this one is at the top of my list right now.  Michael made some great points concerning tools specific certifications vs tool agnostic certifications.

You can find out more about the GCFE certification here.

Head on over to the Digital Forensic Survival Podcast website to listen to Episode 22 as well as check out the other episodes for some interesting information.