This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on.
1. Copy the target_image from your linux forensics system to your Windows forensics system
2. To convert the raw file into a virtual machine using Live View, change the extension of the targetimage raw file to .dd
root@forensics:~# mv targetimage targetimage.dd
3. Create a folder on the desktop of your Windows forensics system for which we will put the VM after conversion.
4. Open Live View 0.8 short cut on desktop
5. When the program opens, make the following changes. Once complete, your screen should look like the below.
– Ram size: 1024 (default is 512)
– Operating system: Linux
A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is.
One may be wondering why what is the need for all of this? Well, let’s say you are inspecting a suspected or known compromised system. Good practice is to not do anything (or at least as little as possible) to the system in question. In order for one to preserve the system and get an image to work off of, we can make a DD (binary) image. From there, we can use LiveView and convert the DD image into a working virtual machine. From there, one can get a memory capture and/or begin any other forensics on the system yet not affect the original hard drive. LiveView can be found at http://www.cert.org/digital-intelligence/tools/liveview.cfm. You will need to install it on your Windows forensics system prior to continuing.
Below are the instructions on using the software that my buddy made.
1. Access the target from the forensics system (linux) using SSH
root@forensics:~# ssh email@example.com
2. Elevate privileges
[user@target_sys ~]$ su –