A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is.
One may be wondering why what is the need for all of this? Well, let’s say you are inspecting a suspected or known compromised system. Good practice is to not do anything (or at least as little as possible) to the system in question. In order for one to preserve the system and get an image to work off of, we can make a DD (binary) image. From there, we can use LiveView and convert the DD image into a working virtual machine. From there, one can get a memory capture and/or begin any other forensics on the system yet not affect the original hard drive. LiveView can be found at http://www.cert.org/digital-intelligence/tools/liveview.cfm. You will need to install it on your Windows forensics system prior to continuing.
Below are the instructions on using the software that my buddy made.
1. Access the target from the forensics system (linux) using SSH
root@forensics:~# ssh firstname.lastname@example.org
2. Elevate privileges
[user@target_sys ~]$ su –
3. Use DD to get a raw image capture of the target hard driv. We will also zip it, and export to specified folder on the forensics system (linux) in a compressed format.
[root@target-sys user]# dd if=/dev/sda | gzip -1 - | ssh email@example.com dd of=/media/expanded/targetimage.gz
4. Once complete, break the SSH link to the target
[root@target-sys user]# exit; exit
5. On the forensics system, verify that the file is present on the forensics system.
root@forensics:~# cd /media/expanded/ ls -l
6. Extract contents of the compressed file on forensics workstation (linux).
root@forensics:~# gzip –d targetimage.gz
In part 2 of this tutorial, I will address the steps needed in LiveView to turn our DD image into a VM.