VMDK Direct Access with VMWare Workstation – Hash Analysis

Previous posts outlined some of the benefits of using VMWare Workstation or other virtualization technology to host not only forensic analysis workstations as well as other workstations for test and validation. One of the advantages of utilizing VMWare Workstation is the ability for the host workstation to share a folder with guest workstations in read only mode.

This feature is especially appealing as a way to directly access and analyze the VMDK files of virtual test and validation workstations by a virtual forensic analysis workstation.

To verify that the VMDK file was not modified while utilizing the Read Only option for shared folders in VMWare Workstation I calculated the hash value of the VMDK file via multiple access methods. The results are shown below. Continue reading

Accessing VMWare Workstation Shared Folders with FTK Imager

In the previous posts we have looked at the ability to run test and validation workstations as well as a forensic examination workstations within VMWare Workstation.  The ability to map a drive from within the virtual forensic examination system to directly access the VMDK files of the test workstations was also discussed previously. Continue reading

VMWare Workstation for Research and Validation

In my previous post I talked about the use of virtualization technology and how it is beneficial in the world of digital forensics.  One of the ways that many utilize virtual workstations is for research and validation.

Two of the advantages of virtualization are the ability to revert the workstation to a clean state by utilizing snapshots as well as the ability to quickly examine a virtual workstation in a read only mode without having to acquire a clone of the workstation. Continue reading

Virtualization in Digital Forensics

I have a been a proponent of virtualization both from a personal standpoint but also a business standpoint. My journey into the world of digital forensics is no exception. I have read several articles and listened to multiple podcasts that talk about the advantages of using virtualization for not only the forensic workstation being utilized by an examiner but also for research, testing, and validation.

Forensic workstations, research, and validation are exactly what I am using virtual machines running in VMWare Workstation to accomplish. Continue reading

Currently Reading…

File System Forensic AnalysisFile System Forensic Analysis Cover

by Brian Carrier

I just started reading File System Forensic Analysis by Brian Carrier. This book appears on the recommended reading list of multiple blogs, websites, podcasts, and forum posts both for great information for those in the digital forensics field but also as a must read for anyone preparing for the GCFA or GCFE exam.

The book was published in 2005 but is still extremely relevant to the forensic world today.

Brian Carrier is the author of Autopsy and The Sleuth Kit forensic tools and as it is stated in the forward of this book, “a household name in the digital forensics community”.

I am looking forward to reading this book and although having only read the first chapter so far this book is very readable and should contain information for both the experienced examiner as well as those new to the world of digital forensics.

You can purchase the book in both print or Kindle format on Amazon Here.

Cloning Drives with Bad Sectors

I picked up an old Toshiba 2.5″ 40Gb laptop hard drive to use for practice cloning and analyzing drives with some free or low-cost forensic tools.  After connecting the drive to the WiebeTech Forensic UltraDock I was quickly able to see that the drive had 5 bad sectors. I attempted to acquire the clone of the drive utilizing FTK Imager on two different occasions but after waiting for several hours on each attempt the clone would  “freeze” after approximately 24.7Gb of the image had been acquired. I then attempted to clone the drive utilizing dcfldd within the SIFT 3.0 workstation and received the same results. A little online research and I learned about ddrescue as an option for achieving a clone of a drive with bad sectors. Continue reading

WiebeTech Forensic UltraDock v5.5 and VMWare Workstation 12.5

I am currently running my forensic workstation as a virtual machine within VMware Workstation 12.5.  I chose to do this for multiple reasons, some of which include snapshots to roll back the workstation, ability to test different forensic tools, test OSs for the workstation (Windows vs Linux), etc. Not to mention the cost associated with VMWare Workstation compared to having several machines running different OSs as well as the portability of it all

So far this setup has worked well as test bed for the start of my expedition.  There have been a few performance hurdles but nothing that a little patience wouldn’t take care of.  However today I ran into an issue that, although I was able to overcome is disappointing to say the least. Continue reading

Currently Reading…

basicsofdigitalforensicscoverThe Basics of Digital Forensics

by John Sammons

I am currently reading The Basics of Digital Forensics: The primer for Getting Started in Digital Forensics by John Sammons.

Just as the name implies this is a very basic introduction to digital forensics but is still an entertaining and quick read.

You can get your copy of this book from Amazon Here.

Note: The second edition of this book is available at Amazon Here


Security Tokens on XenDesktop

The use of USB Security Tokens with XenDesktop 5.6 FP1 poses some interesting challenges.  In this configuration XenDesktop was run on both Wyse Thin Clients as well as via Citrix Receiver on a PC.  The XenDesktop image would detect the USB token, a SafeNet iKey 2032; however the SafeNet application would not detect that the token was installed or read the certificate that was installed on the certificate.

After much research and testing of ideas proposed on websites regarding the way that the SafeNet application was installed or the disabling of the SmartCard service the resolution ended up being a resolution originally implemented in XenDesktop 3.0.

The following registry key needs to be changed for third party applications to access the USB Security Tokens or SmartCards.

  1. Open Regedit
  2. Browse to HKLM\Software\Citrix\CtxHook\AppInit_Dlls\Smart Card Hook
  3. Change the vale of the Flag key to “0″
  4. Restart the workstation

This change immediately resolved the issue with the SafeNet iKey 2032 token being accessed by the SafeNet Authentication Client.

Citrix Support Article: http://support.citrix.com/article/CTX123743/

CHM Files in Windows 7

The release of Microsoft Security Update 896358 prevented Windows 7 users from being able to open CHM Help files that are stored in network locations. To allow CHM files stored in network locations to be accessed from Windows 7 machines on the network the following registry change has to be made. Continue reading