Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

Give Your Forensic Images the Boot, Part I

Authored by

At its worst, incident response in the past consisted of someone with a little bit of knowledge sitting down at the affected machine and poking around at its contents. Computer forensics has influenced the initial response, but you may still find quality information from taking a live look at a suspect machine. For instance, I have no idea where the settings are that effect how icons are arranged on the desktop. But by booting into the captured image, I get to look and feel how the user environment was actually set up.

Booting the image into a virtual environment has other advantages. First, you can interact with the computer in a more natural and familiar way. Second, you have new software tools at your disposal that are designed to be run on a live machine. Third, it may be possible that the only detection (or certainly quicker detection) of some malware will be on a running computer.

With free options to boot an image, this should be something that every examiner has at his or her disposal. One option is to use LiveView, http://liveview.sourceforge.net/. LiveView does most of the work for you by creating the configuration files to launch your image in VMWare. During installation, it even prompts you to install the needed software that it uses. All changes to the image are redirected so that the integrity of the image is preserved. In conjunction with the VMWare Server, which is also free, LiveView is an increasingly useful tool.

Other options include using ProDiscover (a free version is available) to create your VMware configuration files or the commercially available Mount Image Pro and Virtual Forensic Computing to mount and boot your images.

One potential trap to booting into a live environment is an issue with Microsoft activation. Windows may detect a change in hardware and force new activation. Booting into safe mode may avoid this pitfall. Another option is to call Microsoft directly and explain the situation. Many Law Enforcement examiners have had good luck getting new activation keys.

Part II of this article will show the complete step by step process with screenshots of booting forensic images. If you have never booted your forensic image and don't want to wait, give it a try and see what advantages it gives you.

Matt Churchill, GCFA #3934, CFCE, CCE, CISSP

SANS Digital Forensics and Incident Response Blog | Give Your Forensic Images the Boot, Part I | SANS Institute