vfc user guide - MD5 Limited
Contents
1. Ty start To direct input to this VM click inside or press Ctrl G Detailed information about VMware Tools is available within the VMware Workstation User s Manual on the VMware web site http www vmware com pdf ws80 using pdf Copyright 2005 2012 Michael A Penhallurick MSc 48 System Restore It is possible to utilise the in built System Restore functionality of Windows XP and above to revert a machine to an earlier state er My Computer Recyde bin Intern E mail Ne System 2007 L VFC New Virtual Mac Administr et amp Offre Out VPro Manager ui EN Virtual Forensic Com F Register Virtual Fore Computing Restore Calculator Microsoft Office Pow Sc RE m uA tal Deacon File Edit View VM Team Windows Help G VFC New Virtual Machine g See edgagacaceca aeeeeeeee or My Bluetooth Places Set Program Access and Defaults Windows Catalog Windows Update Accessories Catalyst Control Center Games HP HP Backup amp Recovery InterVideo WinDVD LightScribe Direct Disc Labeling Microsoft Office PDF Complete Roxio Startup HP Notebook Accessories Product Tour HP ProtectTools Security Manager HP Software Setup Internet Explorer Outlook Express Remote Assistance Windows Media Player Windows Movie Maker Demo Builder Instant Effects Microsoft SQL Server 2005 Hitachi Finger Vein Authentication System2. The first drive shown should be our original VFC d drive Click OK Copyright 2005 2012 Michael A Penhallurick MSc 66 NCHC Free Software Labs Taiwan Choose local disk as target ALL DATA ON THE ENTIRE DISK WILL BE LOST AND REPLACED The disk name is the device name in GNU Linux The first disk in the system is hda or sda the 2nd disk is hdb or sdb Press space key to mark your selection An asterisk x will be shown when the selection is done ok Cancel The remaining disk our blank virtual disk target will now be displayed Click OK NCHC Free Software Labs Taiwan Set the advanced parameters multiple choices available If uou have no idea keep the default value and do NOT change anything fsck src part Check and repair source file system before cloning lt ok gt o Cancel There should not be a need to run any disk check options but if required these can be selected here Click OK Copyright 2005 2012 Michael A Penhallurick MSc 67 Clonezilla on the flu advanced extra parameters Mode disk to local disk Set the advanced parameters multiple choices available If uou have no idea keep the default value and do NOT change anything fsck src part Check and repair source file system before cloning lt Cancel gt Press Enter to continue Further confirmation will be required to start the process Press Enter to continue part
3. User Guide WEG 2 1 14 1 VFC2 User Guide Copyright 2005 2012 Michael A Penhallurick MSc All rights reserved The information in this document is furnished for informational use only is subject to change without notice and should not be construed as a commitment by the author The author assumes no responsibility or liability for any errors or inaccuracies that may appear in this document The software described in this document is furnished under license on a subscription basis and may only be used or copied in accordance with the terms of such license Certain advanced program features will cease to function once the subscription period expires VMware is a trademark of VMware Inc and may be registered in certain jurisdictions Microsoft and Microsoft Windows are trademarks of Microsoft Corporation that may be registered in certain jurisdictions All other products or name brands are trademarks of their respective holders and are acknowledged VFC IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW THE AUTHOR WILL BE LIABLE TO YOU FOR DAMAGES
4. Clone of New Virtual Machine vmdk Summary Wil Memory 2 0 GB J Processors 1 ix Hard Disk BCSI 148 2 GB Capacity CA New Hard Disk 149 2 GB Current size 18 8 MB y CD DVD IDE Using file C Program Files x System free 484 5 GB Iz Floppy Using file vfc fioppy fip Maximum size 149 2 GB USB Controller Present qd Sound Card Auto detect Disk information Display Auto detect Disk space is not preallocated for this hard disk Hard disk contents are stored in a single file sds I usually use ISO image files of CD DVD media rather than physical discs Click on the CD DVD entry in the Virtual Machine Settings dialog it should still be open from adding the disk select Use ISO image file and navigate to the local host folder where your ISO image is located In this example I am using clonezilla live 1 2 12 10 1686 pae iso available from http clonezilla org Copyright 2005 2012 Michael A Penhallurick MSc 61 a Virtual Machine Settings Hardware Options Device Summary Device status iili Memory 2 0 GB Processors 1 Hard Disk SCSI 149 2 GB k Hard Disk 2 SC 149 2 GB CD DVD IDE Using file X SOURCEWtilities Use physical drive Floppy Using file vfc floppy flp USB Controller Present Sound Card Auto detect d Display Auto detect v Connect at power on Connection Auto deteci Use ISO image file Add Remove To make the VFC VM boot from CD simply
5. INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Copyright 2005 2012 Michael A Penhallurick MSc 2 Table of Contents Host System is Windows 7 on a Boot Camp Mac Pro enn nnne nnns 78 Could Not Unload RegisStry ssssssssnnnnnnnnnnnnnnnenenennnnnnnnnnnnenenenenennnnnnnnnnenn 79 Copyright 2005 2012 Michael A Penhallurick MSc 3 Overview VFC Virtual Forensic Computing is a forensic application designed to handle a variety of hard disk drive sources physical disk bit for bit disk copy or forensic image file and successfully transpose over 95 of such images into virtual machines without expensive physical hardware disk caches or time consuming conversion processes VFC is designed to predominantly utilise user mounted forensic whole disk image files which are then presented to the system as an available physical disk This mounted disk is read only and cannot be directly modified VFC can also utilise write blocked real physical disks or bit for bit flat disk images commonly referred to as RAW or DD images Without the use of a write block device original disks
6. Mount Image Pra Installing Please wait while Setup installs Mount Image Pro on your computer Extracting Files CAProgram Files x66 GetDatalMount Image Pro v4 GetDatabetworkServer exe Cancel The installation may take several minutes Copyright 2005 2012 Michael A Penhallurick MSc 30 i setup Mount Image Pra Em Completing the Mount Image Pro Setup Wizard Setup has Finished installing Mount Image Pro an your computer The application may be launched by selecting the installed icons Click Finish to exit Setup GetData Click Finish to exit the installation wizard X Mount Image Pro 4 59 853 Evaluation Version Ele Options Help Ld Mount gi IInmaunt Od view Wi Options Upaste a Help Mounted Images Filename Files Partition As Label File System Date Aquired Examiner Case No Evidence No 9 Acquinng Program Description Image Details Filename Image Properties Partitions Permeten skia Id Active Location Capacity File System nmm DU l MIP54 ber ver 4 6 56 0 installed i running MIP64 FileSys Ole MeL 2551126 mmm Mount Image Pro requires a license registration key or a license dongle separate from the VFC dongle but it can work in Evaluation Mode for up to 15 days Copyright 2005 2012 Michael A Penhallurick MSc 31 Change Application Shortcuts to Always run as administrator When all relev
7. VFC is designed to be a forensic application and does not add any network support to the New Virtual Machine to ensure it remains isolated from the real world It is possible to add network support and hence connect to other networks including the Internet but this is not recommended Adding Network support is currently a manual process undertaken at the discretion of the user Can I transfer data between the New Virtual Machine and my own System You can use virtual or real floppy disks USB devices and you can even connect a physical data disk as a raw device and write directly to that disk You can also use CD DVD media or ISO files to read data into the New Virtual Machine If VMware Tools have been installed you can drag and drop from the VFC virtual machine to your own Host machine and vice versa NB Not all of these methods are readily available with the standalone VMware Player Why does the New Virtual Machine need to be activated Windows XP and above may require activation due to the number of hardware changes that are inevitable from changing between a physical and a virtual environment Not all machines can successfully be activated but all machines should be able to be accessed in Safe Mode and this will enable at least a partial interaction with the original desktop Copyright 2005 2012 Michael A Penhallurick MSc 82 Can I create additional Snapshots Yes VFC allows the VM to create multiple snapshots
8. environment for The Risk Advisory Group based in the centre of London In both roles he was responsible for undertaking and overseeing major criminal investigations for a variety of criminal activities ranging from indecency through to fraud and murder He was also responsible for ensuring the smooth day to day running of the unit including staff development and identification of training needs as well as liaison with external agencies such as the Crown Prosecution Service the Probation Service and the Courts and regular client conferences Michael has been involved in computing in general since 1986 and prior to joining the Police Service he lived and worked in Dubai United Arab Emirates as a freelance computer systems consultant for both small and large businesses including financial advisors several oil companies an aerial survey company the Dubai Ports Authority and the Government of Dubai Water Department Michael has been involved in Forensic Computing since 1997 and has had extensive training and first hand use of the Vogon Encase AccessData and iLook suites of forensic tools Copyright 2005 2012 Michael A Penhallurick MSc 84 Download Links VMware Workstation 8 0 2 http downloads vmware com d info desktop end user computing vmware workstation 8 0 VMware Player 4 0 2 http downloads vmware com d info desktop end user computing vmware player 4 O VMware VDDK http www vmware com support developer vddk Mount Image
9. the VFC VM This may result in a Ox7B BSOD If so use the Restore Points methodology to try to re inject necessary parameters into the VFC VM If the machine cannot be launched with a Cannot open the disk error follow the steps as above to resolve the snapshot time stamp issue Copyright 2005 2012 Michael A Penhallurick MSc 79 Frequently Asked Questions Which Disk Formats are supported by VFC VFC continues to develop and currently supports e Forensic image files mounted using Mount Image Pro v2 v3 amp v4 e Forensic image files mounted using AccessData FTK Imager 3 e Forensic image files disk emulated using Guidance Software Encase PDE Physical Disk Emulator e write blocked original physical disks IDE SATA USB IEEE1394 e Unix style uncompressed dd images and e Vogon format uncompressed img images Which Systems can be booted using VFC VFC has been used to successfully boot Windows 3 1 Windows 95 Windows 98 Windows ME Windows NT Windows 2000 Windows XP Windows Vista Windows 7 Windows 8 Windows Server 2003 Windows Server 2008 Linux experimental MAC OS X 10 5 and above experimental What do I need to run VFC VFC utilises the freely available VMware Player and VMware Disk Mount Utility in conjunction with Mount Image Pro to mount forensic images files VFC requires Windows XP or higher and also requires that you be logged in with Administrator level privileges Do I need to have Mount
10. Edit virtual m Grab Input Ctrl G 9 Snapshot gt X5 Take Snapshot v Devices Capture Screen Ctrl Shift PrtScn Revert to Snapshot VFC Baseline mE Memory Capture Movie Processors E Hard Disk sd 4 Manage 1 VFC Baseline 31 01 2012 07 47 30 Dap v Ie 2 vrC2111111 31 01 2012 07 47 30 H Floppy GT Settings USB Controller Present Q Sound Card Auto detect F Display Auto detect Snapshot Manager Ctrl M Q p g v Description VM generated by VFC 21 11 11 from physical disk PhysicalDrivell a a Taking a snapshot lets you preserve the state of the virtual w machine so that you can return to the same state later Mame Clone of VFC VM Description NB The snapshot feature is not available in VMware Player You can now copy the entire folder containing your cloned VFC VM to a suitable medium for transfer to the client Copyright 2005 2012 Michael A Penhallurick MSc 74 Mame n New Virtual Machine vmx lck _ vfc floppy flp 1 440 KB Ed New Virtual Machine VFC2 log 2 KE Ea vmware log 108 KB Ea vmware loq 180 KB E d vmware 1 loq 106 KB Ea vmware 2 log 105 KB Clone of New Virtual Machine wmdk 9 282 740 KB Clone of New Virtual Machine 000001 vmdk 19 200 KB New Virtual Disk vmdk 1 KB New Virtual Disk 000001 vmdk 58 880 KB New Virtual Disk 000002 vmdk 65 600 KB New Virtual Machine wmsd 2 KB New Virtual Machine vmxf 1 KB l2 Microsoft Windows XP nvram 9 KB EE Ne
11. System Restore To direct input to this VM click inside or press Ctrl G When utilising this functionality any changes made to the system by VFC and any subsequently installed applications such as VMware Tools will be removed Undoing the VFC changes will cause a Ox7b BSOD Blue Screen of Death part way through the process This is expected behaviour Copyright 2005 2012 Michael A Penhallurick MSc 50 E VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Help CaP mEESGImruE Gd p VFC New Virtual Machine A problem has been detected and windows has been shut down to prevent damage pe your computer If this is the first time you ve seen this stop error screen restart your computer If this screen appears again follow these steps check for viruses on your computer Remove any newly installed hard drives or hard drive controllers check your hard drive to make sure it is properly configured and terminated Run CHKDSK F to check for hard drive corruption and then restart your computer Technical information STOP Ox0000007B COxF78E6640 0xCO0000034 0x00000000 0x00000000 To direct input to this VM click inside or press Ctrl G When the system crashes it will likely go into a cyclical reboot n Wm VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Help jj VFC New Virtual Machine He apologize fo
12. VM click inside or press Ctrl G After System Restore Point of 12 July 2010 Copyright 2005 2012 Michael A Penhallurick MSc Creating a standalone Virtual Machine from a VFC VM On occasion it may be necessary to create a standalone copy of a VFC VM for a client whom does not have access to mounting utilities such as MIP or the main VFC program NB When using the following methods to create a copy VFC VM unless snapshots are carefully used the forensic integrity of the methodology will be compromised as the standalone machine cannot be readily recreated and returned to its initial state Standalone VFC VM using a DD image The most direct way of creating a standalone VFC VM which can be run within the VMware platform without further requirement of the VFC application or any third part forensic image mounting utilities is simply by using raw dd images as the source device rather than a physical drive mounted or real Since no mounting utilities have been employed the resultant VFC VM files along with the original dd images can be transferred to any suitably large enough storage device The only requirement will be that the client has access to at least VMware Player in order to open the relevant vmx file and launch the virtual machine It should be noted that advanced features available from VFC such as Password Bypass will not be available and as such the appropriate logon credentials will be required or alternate means w
13. behaviour d partition B process completes Copyright 2005 2012 Michael A Penhallurick MSc 52 re VIC 210104 Restore Point Forensics M i v F C Virtual Forensic Computing i VFC Main Modify Hardware Restore Points Password Bypass About VFC Windows Restore Point Forensics This function will patch an existing VM after using System Restore to rewind the system to an earlier date Within a running VM XP or above simply use the built in System Restore function to rewind the machine to an earlier date During the Reboot stage the system WILL most likely crash with a 0x7B error This is expected behaviour When this happens Power Off the VM then use this screen to select the VM disk and partition Once selected apply the appropriate patches and fixes and then restart the VM You will need to re install VMware Tools and re activate if required after the restore process completes D VFC DEMO VFC New Virtual Machine vmx New Virtual Disk 000002 vmdk Volume 1 142742 MB HPFS NTFS y VFC 2 10 1044 Restore Point Forensics v F Cc Virtual Forensic Computing VFCMain Modify Hardware Restore Points Password Bypass About VFC Windows Restore Point Forensics This function will patch an existing VM after using System Restore to rewind the system to an earlier date Within a running VM XP or above simply use the built in System Re
14. bootable partition present on the disk This is most common with disks that have been used for data storage only such as external hard disks or secondary storage devices or with disks that do not have a standard MBR such as Mac OS X GUID Partition systems Rarely you may need to reboot the host machine and remount the drive before it is correctly detected by VFC This may happen when a large number of disk images have been mounted dismounted and multiple machines have been generated To display non bootable drives simply select the Display Non Bootable located in the upper right of the drive selection dialog By default VFC utilises a method of calculation for CHS values based on reading the MBR and then calculating Cylinders LBA Heads Sectors MIP3 amp MIP4 use an alternate method of calculation which may result in a different set of values for the resultant CHS The MIP calculation can be utilised by un checking the Use MBR Geometry for MIP disks Albeit MIP may mount the disk correctly and logical drives may be accessed via Windows Explorer it has been noted that the default MIP calculation may cause the subsequent VFC generated VM to fail to boot Using the MBR method the same machine will successfully start Copyright 2005 2012 Michael A Penhallurick MSc 37 View Sectors The View Sectors option enables the user to quickly examine the disk contents in read only hex format There are options available to
15. mode For Windows XP Service Pack 3 Settings Run in 256 colors Run in 640 x 480 screen resolution Disable visual themes Disable desktop composition Disable display scaling on high DPI settings Privilege Level Run this program as an administrator 15 07 Monday 30 01 2012 Check the Run this program as an administrator option and click OK Repeat these steps for the desktop icons and Quick Launch icons if applicable for the VFC and MIP applications Copyright 2005 2012 Michael A Penhallurick MSc 33 VFC Step by Step Mount a forensic whole disk image There are several methods by which a forensic whole disk image can be mounted the author s preferred mounting tool is Mount Image Pro and the drag and drop mode whereby the first image file E01 is dragged into an open MIP session and mounted as a physical disk no associated drive letter m Mount Image Pro v4 59 853 Evaluation Version c amp amp File Options Help d Mount a Unmount Q view n Options Update P Help Buy Online Mounted Images Filename Files Partition As Label File System Date Aquired Examiner Case No Evidence No Acquiring Program Description Mount Disk Image or Device G VFC DEMO E vidence Files VFC_DEMO E01 Drive letter First amp vallable v Mount As Physical only Access Mode Read Only Image Details il Filename m Image Pr
16. power on the machine give the machine focus by using the mouse to click inside the VM and then press the ESC key once The following Boot Menu will be displayed simply use the cursor keys to select option 3 CD ROM Drive and press Enter 1 Removable Devices 2 Hard Drive XEnter Setup The machine will now boot from your CD ROM ISO file and you will see the following screen or similar dependent on the version that is current when you perform these steps Copyright 2005 2012 Michael A Penhallurick MSc 62 Clonwezilla ory clowezilla wo Clonezilla live Default setti Other modes of Clonezilla Local operating system i Hewtezt amp FreeDOS Network boot via if HCHC Taiwan Free Software Labs i 1 A ez l i q igh Performance Computing Taiwan Press Enter to boot with default options or wait for the boot timer to finish Software Labs NCHC Taiwan Choose language Which language do you prefer de_DE UTF 8 German Deutsch UTF 8 Spanish Espa ol French Francais Italian Italiano Japanese HRS Brazilian Portuguese Portugu s do Brasil Russian Pycckun m Chinese Simplified TARAX Chinese Traditional JERS lt Ok gt Select the preferred language default is English Copyright 2005 2012 Michael A Penhallurick MSc 63 ackage configuration The keymap records the layout of symbols on the keyboard Select keymap from arch list select one of the pred
17. to connect this disk to your own system otherwise your host system will almost certainly try to write to the physical disk and this will change the evidence Does VFC support partition only images Yes Partition image support is included Development continues to implement multi partition image support Does VFC support multi boot systems Full multi boot system support is under development I ve used VFC but still get a BSOD halfway through the boot sequence It may be necessary to boot into safe mode and disable services specific to the original hardware such as e NVidia or ATI graphic drivers e custom audio drivers or e OEM specific utilities Copyright 2005 2012 Michael A Penhallurick MSc 81 Do I need to install the drivers for the New Detected Hardware It is not absolutely necessary to install these drivers however the virtual machine may not function properly without them and you may find that the CD mouse or floppy disk for example do not function at all It is recommended that you let the VM detect and install the necessary files How can I improve the performance of the New Virtual Machine If you are using either VMware Workstation or VMware Server or VMware Player 3 or above you can install the VMware Tools Package to improve the performance of your virtual machine This option is not directly available with the standalone VMware Player 2 or earlier Can I access the Internet from the New Virtual Machine
18. to this VM click inside or press Ctrl G Copyright 2005 2012 Michael A Penhallurick MSc 43 File Edit View VM Team Windows Hep B 1 A BAAR Deaconess Iq E VFC New Virtual Machine X Log On to Credential Manager SSS Click here to log on with Wizard Administrator Type your password E BENED To begin click your user name fter you log on you can add or change accounts Turn off computer Just go to Control Panel and dick User Accounts To direct input to this VM click inside or press Ctrl G amp c3 H4 DID Z If the user account is password protected it is possible on Windows NT amp above to bypass the logon password by utilising the Password Bypass feature Copyright 2005 2012 Michael A Penhallurick MSc 44 Password Bypass VFC incorporates an innovative method of access to user accounts in a virtual environment with the introduction of Password Bypass Simply suspend the virtual machine when at the logon prompt use VFC to select the required vmx file and then Authenticate All Users 2 r VFC 2 10 10 4 Password Bypass aao I V F C Virtual Forensic Computing i VFCMain Modify Hardware Restore a About VFC Windows Password Bypass This function requires a VMware suspended virtual machine created with VFC2 This procedure has been tested on WinNT Win2k WinXP Vista Windows 7 Server 2003 and Server 2008 Once the patch has been success
19. zd sdb from ED The stant of NTFS partition de ad just filesystem geometry for the NTFS partition Running partclone ntfsfixboot w h 255 t 63 s ntfsfixboot version 1 0 done KOKORO KAKO ARO AHO ARKO ARO AHORA OK KKK EK EKKO KOO OOK ROK OOOO HHO OK you want to use Clonezilla again Stay in this console console 1 enter command line prompt Run command exit or logout RE D a D LU it FAIL to boot next exis partition s When everything is done remember to use pouweroff or follou the menu to do a normal poue roff reboot procedure Otherwise if the boot media you are using is a writable device such as USB f lash drive and it s mounted poweroff reboot in abnormal procedure might make time HEIKKI KK CKO OOK OOK ACHR KOK OK AK Enter to cont inue li general is finished Now you car ioose to QO ra 1 Reboot 2 Enter command line prompt a start over We can now select option 0 Poweroff to shut down the virtual system Copyright 2005 2012 Michael A Penhallurick MSc jt FAIL to boot next Zu If uou want to use Clonezilla again HEAR HR ER RR OR RR A RR RE RAR AR ROK PEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEKEK Press Enter to continue it Ocs live general is finis Now you can ct to Powerof f Reboot Enter command line prompt 3 Start over 2 0 INIT Switching to runlevel 0 INIT Sending s the TERM signal Using makefile style concurr zoot in runlev
20. 0 0 Empty Successfully wrote the new partition table Re reading the partition table 92 sd 1 0 1 0 sdb Cache data unavailab 35 sd 1 0 1 0 sdb Assuming drive cache write through sdb sdbi sdb2 F you created or changed a DOS partition dev foo say then use dd 1 o zero the first 512 bytes dd count 1 See fdisk 8 is is done by sfdisk force C 19476 H 255 S 63 dev sdb lt tmp ocs_onthefly_local KBjdFM tet S that partition table has cl Pear sd 1 0 1 0 sdb Cache data unavailable 401 280630 sd 1 0 1 0 sdb Assuming drive cache write through 401 281165 sdb sdbi sdb2 Checking the integrity of partition table in the disk dev sdb done HEHEHE EEE EE EOC The first partition of disk dev sdb starts at 63 i e 512 bytes and ist partition which might be useful for some recovery tool by dd if tmp ocs_onthef lu local KBjdFM tgt hidden data img of dev sdb seek 1 bs 512 count 62 62 0 records in 524 0 records out 31744 bytes 32 kB copied 0 00197847 s 16 0 MB s poke pop KKK KO S o e EIEXXopxoo9ppbepopb9pooepeopoIp9 ope pepeppbp9ogpoeK AKER HK Do you want to clone the boot loader executable code area the first 446 bytes to sdb We want the whole image including the boot loader so press y then Enter to continue Copyright 2005 2012 Michael A Penhallurick MSc 69 292334805 312576704 20241900 7 HPFS NTFS exFAT 0 Q0 0 Empty J 0 0 0 Empty sstully wrote the
21. 05 2012 Michael A Penhallurick MSc 19 VMware Workstation Setup Ready to Perform the Requested Operations Q Click Continue to begin the process If you want to review or change any of your installation settings click Back Click Cancel to exit the wizard Cancel Clicking Continue will start the installation process VMware Workstation Setup Performing the Requested Operations Please wait while the wizard performs the requested operation This may take several minutes Status Installing packages on the system The installation can take several minutes Copyright 2005 2012 Michael A Penhallurick MSc 20 VMware Workstation Setup Enter License Key optional You can enter this information later License Key DOOOOCOOOOOCOOQOOCOOOOOCOOOQQX VMware Workstation requires a license registration key but can work in trial mode for up to 30 days VMware Workstation Setup Setup Wizard Complete The setup wizard has successfully completed its operations related to VMware Workstation Click Finish to exit the wizard VMware Workstation 8 Click Finish to exit the installation wizard Copyright 2005 2012 Michael A Penhallurick MSc 21 Installation of VMware VDDK It is highly recommended that the latest version of the VMware VDDK is used QC b Computer 32GB USB F VFC2 Retail Install v 44 Search VEC2 Retail Install Organize v E Open Burn New folder Name WW Favo
22. 10 Chrome Mon Tue Wed Thu Fri Sat Sun 21 17 24 Installed iTunes 29 29 3 1 2 3 4 Em 5 7 9 9 o a T 12 Player V2 29 TFC aC Virtual Forensi z H E Cocaine WebEx Pl Contacts 7 m m Dc sis applicabort Mess Record ss Start system Restore EN AR 22 35 To direct input to this VM click inside or press Ctrl G 5 m H by LL lid mn pj vetet ier T Em nh File Edit View VM Team Windows Help lli DIA amp GG T3 1E B Im s jj VFC New Virtual Machine er My Computer t System Restore Recyd Bin Confirm Restore Point Selection ZIED FXD Playen Selected restore point 12 July 2010 tl 21 17 Installed iTunes Browser sisden Choice Ks This process does not cause you to lose recent work such as saved documents or e mail and is completely reversible Goodie LimeWire Chrome During the restoration System Restore shuts down Window s After the restoration is complete Windows restarts using the settings from the date and time listed above gt QuickTime Player Important Before continuing save your changes and close any open programs Ve 2 System Restore may take a moment to collect information about the selected restore point before shutting H C down your computer Virtual Forensi LS nd H E Cocaine WebEx Pl Contacts B E To restore your computer to this date and time click Next sis applicabort WebE Record sg Start
23. Applications Inc O Always trust software from Microcomputer Applications Inc E You should only install driver software from publishers you trust How can I decide which device software is safe to install Click Install Device Driver Installation Wizard The drivers are now installing ipo Please wait while the drivers install This may take some time to complete lt Back Next gt Copyright 2005 2012 Michael A Penhallurick MSc 13 Device Driver Installation Wizard Completing the Device Driver Installation Wizard The drivers were successfully installed an this computer au can now connect your device to this computer IF your device came with instructions please read them first Driver Mame Status w KEYLOK usbkey USB Ready to use Click Finish d KEYLOK Security Key Installer Install Success Please attach the USE dongle to complete installation View Log File Click Close You can now insert the VFC green dongle and it will be recognised or you can run the VFC License Manager either green or white dongle The VFC License Manager The VFC License Manager is used to refresh the dongle data when the subscription has been renewed on a registered dongle The License Manager requires access to the Internet and utilises the settings set within Internet Explorer on your host system If you attempt to run the VFC License Manager without the Dongle Driv
24. Image Pro or Encase No VFC is wholly capable of using physical disks or dd images Mount Image Pro is only required if you have forensic evidence files in the Expert Witness Format which you would like to access outside of any forensic suite Copyright 2005 2012 Michael A Penhallurick MSc 80 Encase is only required if you wish to utilise the Encase PDE in order to emulate a physical disk How Do I Use VFC VFC is as easy to use as 1 2 3 1 Mount the evidence file or attach the write blocked physical disk 2 Select the disk or dd image and the relevant partition 3 Generate the machine and use the Launch feature to start it in VMware What limitations does VFC have VFC will successfully boot 95 of Windows based disks images it is presented with VFC cannot dynamically fix machines that are broken and unable to be booted in the original machine Similarly VFC cannot bypass software protection that is linked licensed to the original hardware Will booting an image using VFC alter the original evidence VFC dynamically creates a custom disk cache and directs all subsequent reads and writes through this disk cache The original evidence is only ever read and cannot be directly written to Additionally mounted or emulated forensic image files are opened read only by default as are dd and img disk image files NB f you are using physical disks it is imperative that you use a hardware write blocking device
25. Mware Workstation 8 j gt Power on this virtual machine Elf Edit virtual machine settings v Devices Memory 2 0 GB Processors 1 CA Hard Disk SCSI 149 2 G y CD DVD IDE Using file CPro e Floppy Using file vfc flo USB Controller Present i Sound Card Auto detect Display Auto detect Description VM generated by VFC 2 11 11 11 from physical disk PhysicalDrivell GuestO Microsoft Windows XP First select the option to Edit virtual machine settings Copyright 2005 2012 Michael A Penhallurick MSc 57 Hardware Options Device Summary Processors 1 GA Hard Disk SCSI 149 2 GB Using file C Program Files x Using file vfc floppy flp Present Auto detect Auto detect Memory Specify the amount of memory allocated to this virtual machine The memory size must be a multiple of 4 MB Memory for this virtual machine 2016 MB 64 GB 32 GB 8GB Maximum recommended memory 4GB Memory swapping may 268 CA occur beyond this size 1GB 6044 MB E Recommended memory 512 MB Guest OS recommended minimum 128 MB Click Add the Add Hardware Wizard will start and the default option will be for a Hard Disk Click Next Pa Add Hardware Wizard Hardware Type What type of hardware do you want to install Ty CD DVD Drive m Floppy Drive Fi Network Adapter USB Controller Sound Card Parallel Port ERS Serial Port Sh Prin
26. Pro http www mountimage com VFC http www mdb5 uk com products vfc2 download vfc Copyright 2005 2012 Michael A Penhallurick MSc 85
27. Recyd Bin ZIED i VMware Tools FXD Player Welcome to the installation wizard for VMware Tools t Browser Choice The installation v col er vizard will install VMware Tools on your mputer To continue click Next li lick H at Google WARNING This program is protected by copyright law and international treaties 7 start i VMware Tools To direct input to this VM click inside or press Ctrl G Once the VMware Tools are installed it is necessary to restart the machine for configuration changes to take effect During the reboot process after installation of the VMware Tools the screen resolution may be affected and desktop icons may be re arranged It may be possible to adjust screen resolution to the desired final setting prior to the installation of the VMware Tools using the options available within VFC Currently applicable to Windows XP only Pre adjusting resolution may avoid unwanted desktop icon relocation Copyright 2005 2012 Michael A Penhallurick MSc 47 Upon successful reboot and password bypass if required you will likely notice a VM tray icon in the lower right of the screen This can and probably should be disabled as it has no direct effect on user data and this icon would NOT be present on an original machine i m VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Help l JI ma CaP E1E3 ES GO 22 3 E3 G VFC New Virtual Machine
28. Snapshot creation is dependant upon the version of VMware being utilised What does VFC actually do VFC creates a disk cache that is used by VMware to intercept any changes to the underlying original disk whether this is a physical device mounted forensic image or a full bit for bit image file VFC makes the minimum necessary modifications via the disk cache in order to ensure that it can successfully boot in a virtual environment The whole ethos behind VFC is to keep the underlying image as close as possible to the original and yet still make it function in VMware In situ upgrades which are advocated as one method of achieving the same goal were deemed too intrusive of the forensic process Copyright 2005 2012 Michael A Penhallurick MSc 83 The Creator of VFC Michael A Penhallurick holds a Master of Science Degree in Forensic Computing from the Royal Military College of Science Cranfield University and was a regular visiting lecturer at that establishment between 2002 and 2005 He has also been involved in the development of training packages with the National Specialist Law Enforcement Centre Hi Tech Crime Training Team Michael joined MD5 Limited in November 2006 having previously served as a Police Officer with the South Yorkshire Police for almost 13 years the last four years of which were as Computer Forensic Manager for their Hi Tech Crime Unit He also undertook a year as Computer Forensics Manager in a corporate
29. Vigilance Pro LiveUpdate Notice WinRAR Mount Image Pro v2 Virtual Forensic Computing WebEx Google Chrome QuickTime Apple Software Update 5858 28 wpDecg suwHiucrL Accessibility Communications Entertainment Microsoft Interactive Training System Tools Address Book Calculator Command Prompt Notepad Paint Program Compatibility Wizard Synchronize Tour Windows XP Windows Explorer WordPad E Backup Character Map 4 Disk Cleanup e Disk Defragmenter 89 Files and Settings Transfer Wizard E Scheduled Tasks Security Center D System Information System Restore X Restores system to chosen restore point EN amp js 22 35 S9 e Hd 40 L3 3 59 E er My Computer Recyde Bin ZIED FXD Playen G VFC New Virtual Machine File Edit View VM Team Windows Help System Restore Welcome to System Restore Browser sisden Choice ue Goodie LimeWire Chrome dl tl g QuickTime Interne Player Virtual Forensi ct Cocaine WebEx Pl H E Record You can use System Restore to undo harmful changes to your computer and restore its settings and performance System Restore returns your computer to an earlier time called a restore point without causing you to lose recent work such as saved documents e mail or history and favorites lists Any changes that System Restore makes to your computer are completely reversible Your computer automat
30. an Choose the mode to run the following wizard about advanced parameters Expert Expert mode Choose your own options lt Ok gt lt Cancel gt Selecting Beginner mode should suffice for our cloning needs Click OK Copyright 2005 2012 Michael A Penhallurick MSc 65 NCHC Free Software Labs Taiwan Clonezilla Opensource Clone System OCS Clonezilla is free GPL software and comes with ABSOLUTELY NO WARRANTY This software will overwrite the data on your hard drive when cloning It is recommended to backup important files on the target disk before you cloning xx Select mode disk to local disk local disk to local disk clone disk_to_remote_disk local disk to remote disk clone part to local part local partition to local partition clone part to remote part local partition to remote partition clone exit Exit Enter command line prompt Cancel We will be cloning from virtual disk to virtual local disk Click OK NCHC Free Softuare Labs Taiwan Clonezilla Opensource Clone System OCS Mode disk to local disk Choose local disk as source The disk name is the device name in GNU Linux The first disk in the system is hda or sda the 2nd disk is hdb or sdb Press space key to mark your selection An asterisk x will be shown when the selection is done sda 150GB vMuare Virtual S No disk serial no sdb 160 2GB VMware virtual S No disk serial no ok Cancel
31. ant applications have been installed it is useful to change the properties of any desktop icons that are used to subsequently launch the programs such that they too are set to Always Run as Administrator Open Troubleshoot compatibility Open file location Run as administrator Pin to Taskbar Pin to Start Menu Restore previous versions Send to Cut Copy Create shortcut Delete Rename Properties 15 07 La Monday t 30 01 2012 If you have problems with this program and it worked correctly on an earlier version of Windows select the compatibility mode that matches that earlier version Help me choose the settings Windows XP Service Pack 3 Settings Run in 256 colors Run in 640 x 480 screen resolution Disable visual themes Disable desktop composition Disable display scaling on high DPI settings Privilege Level Run this program as an administrator Change settings for all users 15 07 ID Monday 2 30 01 2012 Copyright 2005 2012 Michael A Penhallurick MSc 32 Either check the Run this program as an administrator or if using a workstation which multiple users may have acess to select Change settings for all users Compatibility For all users is program and it worked correctly on an earlier versio lows select the compatibility mode that matches that earlier version If you have problems with thi i Win Compatibility mode Run this program in compatibility
32. are Workstation as this application provides additional functionality over other available VMware desktop platforms which the end user investigator may find useful VFC can also create VMs that will work with VMware Player and VMware Server 2 The latter products are available for free with registration from VMware directly Another component required in order to successfully use VFC is the vmware mount utility which is deployed within the VMware VDDK Virtual Disk Development Kit currently at v5 0 The vmware mount utility is used to mount a specific volume of a virtual disk via snapshot files so that access can be gained to the file system in a forensically sound manner Whilst VFC is predominantly used with images mounted using GetData s Mount Image Pro MIP it is also capable of accessing images mounted with the Encase Physical Disk Emulator PDE or the AccessData FTK imager mounting utility Other utilities may also be available but these have not been tested by the author NB VFC utilises a mounted physical disk a real physical disk or a raw bit for bit dd image The VFC Method and the VFC application have been wholly developed utilising MIP There have been mixed reports with using the FTK imager mount utility in that some images would not virtualise unless mounted with MIP When using the Encase PDE the end user is limited to mounting a single disk via the EnCase interface It has been found that the b
33. as been identified that when running Windows 7 on a Boot Camp Apple Mac Pro and potentially other Mac hardware VFC does not function as expected during the analysis and generate VM procedures It is believed that the installation of the Apple Boot Camp drivers causes an issue with VFC whereby the mounted disk caches generated as part of the analysis and generation stages of the VFC virtualisation process fail to be read correctly This failure to read the mounted cache partition leads to errors detecting the operating system and injecting the requisite patch code into the subject registry The current resolution is to remove the Boot Camp drivers whereby it has been found that the VFC will function as expected Investigation and development continues in order to attempt to make VFC fully compatible with the a Windows installation which incorporates the Apple Mac Boot Camp drivers Copyright 2005 2012 Michael A Penhallurick MSc 78 Could Not Unload Registry There is an intermittent permissions issue especially with Vista SP1 whereby a subject registry cannot be unloaded from the host system during generation This will cause the current session to fail and may cause subsequent sessions to also fail In these instances it is necessary to exit VFC and manually unload any remnant hives The resultant VFC VM may not function correctly thereafter but once generated can be re patched by utilising the Restore Points methodology described a
34. bility 153 Libraries Documents a Music Cut i Pictures Copy Send to B Videos Create shortcut B Administrator JE Computer amp Local Disk C3 amp DVD RW Drive D Properties ed 32GB USB E E Network E Control Panel 5 Recycle Bin Delete Rename VFC2 Setup exe Date modified 11 11 2011 08 49 Date created 30 01 2012 10 33 Application Size 293 MB In Windows Explorer navigate to the location where you have saved the installation files right click on the VFC2 Setup exe file and select Run as administrator ie setup Virtual Forensic Computing Welcome to the Virtual Forensic Computing Setup Wizard This wall install Virtual Forensic Computing vz 11 11 11 on pour computer It is recommended that you close all other applications before continuing Click Hest to continue or Cancel to exit Setup Copyright 2005 2012 Michael A Penhallurick MSc 7 Click Next and accept the End User License Agreement js setup Virtual Forensic Computing License Agreement Please read the following important information before continuing Please read the following License Agreement fou must accept the terms of this agreement before continuing with the installation MDS Ltd virtual Forensic Computing License Agreement Agreement This license agreement governs Virtual Forensic Computing Software By pressing the I accept the agreement button below you enter into th
35. bove VFC 2 11 11 11 includes a program initialisation check to remove any remnant hive data from such an occurrence Simply exit and restart the VFC to remove any remnant hives Older versions of VFC require the remnant hives to be unloaded manually CAUTION If you make a mistake when you edit the registry your system might become unstable or unusable Proceed with caution To manually unload any remnant hives which VFC cannot automatically unload first make sure that the VFC application is closed Next start REGEDIT and expand HKEY LOCAL MACHINE If there are entries for NEWSYSTEM NEWSOFTWARE or NEWDEFAULT these are remnant hives that have not been cleanly unloaded by VFC Select the remnant hive and use the menu File Unload Hive to remove the remnant hive from the system If the hive still cannot be unloaded you may need to first restart the system to flush any system locks that are still present Once all remnant hives have been removed exit REGEDIT dismount any mounted images and restart the system To use the Restore Points method on the failed VFC VM first make sure that any required disk image files have been mounted as previous and then use the Open Existing option from the VFC main dialog to ensure that the PHYSICALDRIVE number allocation is consistent and matches that which VFC has recorded against the VFC VM Once Open Existing has verified that the VFC VM is ready to launch try to Launch
36. can and probably will be altered thus compromising the integrity of the original data The same is true of DD images when accessed directly VFC interrogates the selected device and calculates the disk geometry and partition information It uses these calculations to create a virtual disk cache so that the required partition can be queried without risk of altering the underlying data Once the image source has been selected VFC will list the available partitions and display them on the main system dialog In general the partition marked Bootable will be the one containing the Operating System With certain systems such as Windows Vista and above the bootable partition may only be around 100MB and will not actually contain an OS In these instances select the next available partition which will typically occupy the remainder of available disk space and will contain the OS Once the required partition is selected VFC default behaviour is to analyse the OS by querying registry data and system files The resultant information thus gleaned is displayed on the main VFC screen At this stage VFC has sufficient information with which to create the required disk files and inject any required system fixes The default file names of New Virtual Machine and New Virtual Disk can optionally be manually changed prior to generation of the VFC VM Once the VFC VM has been generated the launch facility is enabled and the machine can be booted i
37. ch VM Dongle Expiry Date 19 06 2013 License Status 502 days remaining Generate VFC VM Open Existing YM Launch VM Created Written and Developed by Michael A Penhallurick 2005 2011 Start VFC and use the hard disk icon located at the upper left of the screen to launch the drive selection dialog This process will enumerate all physical storage devices attached to the system and may take several moments Physical Mounted Disks i v C Virtual Forensic Computing Select the Physical Mounted Disk you want to virtualise Display Non Bootable Drive Details Bus LBA Cyls Heads SPT BPS Capacity SAMSUNG HD10353 ATA Device IDE 1953525168 121601 255 63 512 931 51 GB Partition Information Volume System Active Start Cyl Start Head Start Sector End Cyl EndHead End Sector Relative Sectors Number of Sectors 1 0x07 Yes 1 1 1023 254 63 63 292334742 2 0x07 No 1023 1 1023 254 63 292334805 20241900 Volume 1 142741 Mb NTFS Bootable Volume 2 9883 Mb NTFS Unused space at end of disk 2 Mb Created Written and Developed by Michael 4 Penhallurick 2005 2011 View Sectors OK Cancel Exit Copyright 2005 2012 Michael A Penhallurick MSc 36 Once enumeration is complete the mounted drive will be displayed in the drive selection dialog If the mounted drive is not displayed then VFC has been unable to ascertain that there is an active
38. d i Regenerate the virtual machine in the same folder discarding the existing files Existing Files Detected Uae i ne or more remnant files already exist for this Virtual Machine WFC cannot continue until these files are removed or the virtual machine name and or location is changed Press OK to Delete ALL files in this folder Press Cancel to select an alternate name amp location Cancel Copyright 2005 2012 Michael A Penhallurick MSc 76 ii Revert to snapshot if using Workstation this will flush the latest disk cache and reset the problem time stamps By restoring this snapshot the current state will be lost Do you want to restore WFC Baseline If reverting to snapshot do the process twice as otherwise the snapshot numbering sequence may latterly fall out of sync iii Disable the baseline snapshot option via the Options button on the main dialog screen prior to generating the VFC VM Logon Command Prompt Administrator Logon on Welcome Screen Initial Screen Resolution XP Only Split virtual disk into 2GB chunks Disable Auto Reboot on System Crash Fix Known Errors Fix XP WPA XP Only Limit RAM to 7272 MB Save Settings as Default Written and Developed by Michael A Penhallurick 2005 2010 Copyright 2005 2012 Michael A Penhallurick MSc 77 Host System is Windows 7 on a Boot Camp Mac Pro It h
39. d not start successfully A Or Has Wt Known If a previo o Please check that you have shut down your guest operating system before powering or because the Power o E problem che Are you sure you want to power off the virtual machine VFC New Virtual Machine sed the Cancel Use the up and down arrow keys to move the highlight to your choice l To direct input to this VM click inside or press Ctrl G D Once the VFC VM has been shutdown utilise the Restore Points tab in VFC to re inject required system drivers and registry settings ez VFC 2 10 10 4 Restore Point Forensics VFC Windows Restore Point Forensics earlier date VFC Main Modify Hardware Restore Points Password Bypass About During the Reboot stage the syst When this happens Power Off th Once selected apply the approp This virtual disk has multiple volumes Please select the relevant volume from the droplist You will need to re install VMware Lx jJ Written and Developed by Michael A Penhallurick 2005 2010 Select VM D WFC DEMO VFC New Virtual Machine vmx New Virtual Disk 000002 vmdk v C Virtual Forensic Computing This function will patch an existing VM after using System Restore to rewind the system to an earlier date Within a running VM XP or above simply use the built in System Restore function to rewind the machine to an Multiple volumes detected 5 expected
40. e lower left section of the main dialog The Auto Analyse Partitions feature can be disabled if required and the OS version can be manually selected By disabling Auto Analyse Partitions this will preclude the extraction of any of the aforementioned system information If required various options which affect the generation of the Virtual Machine can also be altered as desired see Options below Copyright 2005 2012 Michael A Penhallurick MSc 39 Yee VEC 2111111 e a I v F c Virtual Forensic Computing I V Auto Analyse Partitions VEC Main Modify Hardware Restore Points Password Bypass About Dd us 312581808 CHS Em 2 DIESES Rey volume 1 142741 Mb NTFS Bootable SS Volume 2 9883 Mb NTFS Microsoft Windows v Unused space at end of disk 2 Mb Verein ug Windows XP Professional Y Analysis results For V PhysicalDrivet Virtual Machine Name vmx assumed GuestOS Windows XP Professional New Virtual Machine Install Date 28 11 2007 17 09 02 gt Last Boot Time en 19 51 08 Virtual Disk Name vmdk assumed Last Shutdown 13 09 2010 21 02 52 New Virtual Disk Last Used Date 13 09 2010 21 02 53 Registered Owner reads ak l boll Options Clear Log File View Log File Computer Description Demo PC Network Workgroup MDSNET Disk Serial Number AA 95 AA 95 Dongle Serial 01163 RAM detected Mb 2016 Timezone GMT Standard T
41. e terms af this binding contract between you Cyou or User and MDS Ltd If vou do not agree with the terms of this license choose the I do not accept the agreement button 5 do not accept the agreement Back Nets Cancel Click Next and specify the location for installation or accept the default name and location The default location will either be Program Files or Program Files x86 depending on your Host OS It is recommended that you accept the defaults js setup Virtual Forensic Computing Select Start Menu Folder Where should Setup place the program s shortcuts etup will create the program s shortcuts in the following Start Menu folder Set ll te th Horkcuts in the Fall Start M fold To continue click Next IF you would like ta select a different folder click Browse Virtual Forensic Computing Browse C Don t create a Start Menu folder Back Next gt Cancel You can elect not to create a Start Menu folder if desired Click Next to proceed Copyright 2005 2012 Michael A Penhallurick MSc js setup Virtual Forensic Computing Select Additional Tasks Which additional tasks should be performed Select the additional tasks you would like Setup to perform while installing Virtual Forensic Computing then click Next Additional icons 4 Create a Quick Launch icon Back Nets Cancel Select or deselect the options to create D
42. ead the Following License Agreement You must accept Ehe terms af this agreement before continuing with the installation License Azreement for GetData Software This document is a legally binding agreement between you and GetData Pty Lid ABM 79 100 297 149 GetDatal the developer of the software program Fermission to use the Software and any documentation included with the Software Documentation is conditional upon you agreeing to the terms set out below By installing or otherwise using the oftware you agree to be bound by the terms of this agreement If you do not wish to accept the terms do not install or use the Software and if 271427 T m iTi Drath Ts a ta raan 41 4 C8 Boerne nan TOs san nant roba man LS FAT ea 1a I da not accept the agreement z Back mex Cancel The License Agreement will be displayed Accept the terms and Click Next to continue if setup Mount Image Pro Select Destination Location Where should Mount Image Pra be installed Setup will install Mount Image Pro into the Following Folder To continue click Next IF vau would like to select a different folder click Browse C Program Files x86 GetDatalMount Image Pro v4 At least 5 1 MB of Free disk space is required lt Back Next gt Cancel Browse You can either accept the default installation folder recommended or change the installation location and click Next Copyrig
43. efined keymaps specific for your architecture recommended for non USB keyboards Don t touch keymap don t overwrite the keumap in etc console which is maintained manually with install keumap 8 Keep kernel keymap prevent any keymap from being loaded next time the system boots Select keymap from full list list all the predefined keymaps Recommended when using cross architecture often USB keyboards Policy for handling keymaps Select keymap from arch list Keep kernel keymap Select keymap from full list lt Cancel gt There should be little need to alter the keymap NCHC Free Software Labs Taiwan Start Clonezilla or enter login shell command line Select mode Enter shell Enter command line prompt Dk Cancel Click OK to start Clonezilla Copyright 2005 2012 Michael A Penhallurick MSc 64 NCHC Free Software Labs Taiwan xDlonezilla is free GPL software and comes with ABSOLUTELY NO WARRANTY fffHint From now on if multiple choices are available you have to press space key to mark your selection An asterisk x will be shown when the selection is done Two modes are available you can 1 clone restore a disk or partition using an image 2 disk to disk or partition to partition clone restore Select mode device image work with disks or partitions using images lt Cancel gt Select device device option and click OK NCHC Free Software Labs Taiw
44. el 0 Stopping mouse interface server gpm Unmounting iscsi backed filesystems Unmounting all devices marked _netdev daemon Stopping system log daemon Asking all remaining processes to terminate done All s ended within 1 seconds done rocbind nrpcbind terminating on signal Restart with Stopping rpcbind daemon Deconfiguring network Stopping NFS common utilities Unmounting temporary Deactivating swap done Stopping remaining crypto disks Stopping early crypto disks done live boot is resyncing snapshots and caching files rpcbind w emove the disc close the tray if anu and press ENTER to continue oy Edit virtual machine settings v Devices mit Memory 2 0 GB Processors 1 Exi Hard Disk SCSI 149 2 GB Ex Hard Disk 2 SCSI 149 2 GB y CD DVD IDE Using file x450 Floppy Using file vfc flo USB Controller Present i Sound Card Auto detect Display Auto detect Description VM generated by VFC 2 11 11 11 from physical disk S PhysicalDrivell Copyright 2005 2012 Michael A Penhallurick MSc 72 Wil Memory T Processors Hard Disk SCSI CS Hard Disk 2 Sc CD DVD IDE lal Floppy USB Controller dh Sound Card Wlipisplay Use Edit virtual machine settings select the original hard drive 149 7 GB 149 2 Using file X SQURCE Wtilities Using file vfc floppy flp Present Auto detect Auto detect Remove button to remove this disk J Processors Hard Dis
45. ers installed you will most likely see the following error message Copyright 2005 2012 Michael A Penhallurick MSc 14 The program can t start because EL2DLEEL32 DLL is missing from your computer Try reinstalling the pragram to fix this problem Installing the dongle drivers should resolve this issue regardless of the type of dongle you have Copyright 2005 2012 Michael A Penhallurick MSc 15 Installation of VMware Workstation QU gt Computer 326B USB E VFC2 Retail Install 4 Search VEC2 Retail install File Edit View Tools Help Organize v es Open Burn New folder r Taooifiss Name f Date modified Type BE Desktop jS MIP Setup 4 5 9 853 exe 29 06 2011 08 55 Application Jg Downloads 9 vFC2 Setup exe 11 11 201108 49 Application i Recent Places VMware vix disklib 5 0 0 427917 1386 exe 30 08 2011 12 03 Application 1 VMware workstation full 8 0 2 591240 exe 25 01 2012 11 24 Application RE Desktop Open Libraries Wy Run as administrator Documents Troubleshoot compatibility a Music b Pictures B Video Cut B Administrator Copy j Computer L Local Disk C og DVD RW Drive D eg 32GB USB E i Network Properties A Control Panel Recycle Bin Send to Create shortcut Delete Rename 1 VMware workstation full 8 0 2 591240 exe Date modified 25 01 2012 11 24 Date created 30 01 2012 10 34 T ue 1 9 Application Size 468 MB In Windows Explorer navigate to the loca
46. esktop and Quick Launch icons Click Next to proceed if setup Virtual Forensic Computing Heady to Install Setup is now ready to begin installing virtual Forensic Computing on your computer Click Install to continue with the installation or click Back if pou want to review or change any settings Start Menu folder Virtual Forensic Computing Additional tasks Additional icons Create a desktop icon Create a Quick Launch icon lt Back IET Install Cancel Review your installation options and click Install to complete the installation of the VFC application Copyright 2005 2012 Michael A Penhallurick MSc js setup Virtual Forensic Computing c3 Completing the Virtual Forensic Computing Setup Wizard Setup has finished installing Virtual Forensic Computing on your computer The application may be launched by selecting the Installed icons Click Finish to exit Setup De select the option to Launch Virtual Forensic Computing and click Finish You will need to install both a VMware desktop product and the VMware VDDK before VFC can be utilised If either of these applications is not present the VFC will fail to start with the following error message Fatal Error Could not validate an start exiting The VFC Dongle and Dongle Drivers You will need to have the VFC dongle inserted to run VFC If you have a green VFC dongle you will also need to install the required d
47. est method of installing VFC and other required applications when using a Windows 7 host system is by right clicking the relevant executable and selecting Run as Administrator from the subsequently displayed context menu It is the author s opinion that UAC can cause issue and should also be disabled on the forensic investigators host system however this is a decision left entirely up to the investigator The host system used to create the following screenshots was an Intel based Mac Pro running Windows 7 Ultimate x64 Boot camp drivers were NOT installed Copyright 2005 2012 Michael A Penhallurick MSc 6 The following instructions relate to the installation of VFC 2 11 11 11 VMware Workstation 8 0 2 VDDK 5 0 and MIP 4 5 9 853 The latest versions or links to the latest versions are available from http www md5 uk com products vfc2 download vfc Installation of VFC VFC2 Setup exe baba K pe gt Computer 3268 USB E gt VFC2 Retail Install 4p Search VFC2 Retail insta 9 File Edit View Tools Help Organize v Open Burn New folder dr Favorites Name Date modified Type BE Desktop jS MIP Setup 4 5 9 853 exe 29 06 2011 08 55 Application 12 367 KB Jg Downloads iS VFC2 Setup exe 11 11 2011 08 49 Annliratinn MK E Recent Places E vMware vix disklib 5 0 0 427917 1386 exe 30 08 2011 12 03 Open 15 VMware workstation full 8 0 2 591240 exe 25 01 2012 11 24 Wy Run as administrator RE Desktop Troubleshoot compati
48. fully applied Resume the suspended machine and logon using any password or simply press the lt Return gt key The patch will authenticate all users until the virtual machine is rebooted at which time normal authentication will be required NB It may be necessary to enter an incorrect password or just press the return key at least once prior to using this patch to ensure that the relevant system modules have been loaded into the VM memory It may also be necessary to run the patch twice or reboot the VM and then apply the patch VMware VMX configuration file Select VM D VFC DEMO WFC New Virtual Machine vmx Authenticate All Users VMware suspended machine VMEM file D WFC DEMO WFC New Virtual Machine vmem Written and Developed by Michael A Penhallurick 2005 2010 Once the authentication routine is completed Resume the virtual machine and access the user account without the need of a password It should be noted that Password Bypass is not a password removal or cracking tool It is a proprietary routine which works on a single suspended virtual machine session for machines generated by VFC If the virtual machine is rebooted memory will be reset and either the password must be utilised or the Password Bypass must be re applied No disk files are altered and the effect is transitory Additionally Password Bypass will affect all user accounts on the system whether they are local user accounts or domain
49. ght now If you do not allocate all the space now the virtual disk starts small and grows as you add data to it Split virtual disk into multiple files Splitting the disk makes it easier to move the virtual machine to another computer but may reduce performance with very large disks Bak Cancel Unlike OEM drive manufacturers VMware disk sizes are calculated at the true specified capacity The original hard disk being used in this example was a 160GB disk 149 2GB formatted When specifying the disk size in VMware it is usually sufficient to simply specify the formatted disk size as the size of the disk In this instance specify the same capacity as displayed in the initial VFC VM settings screen above which is shown as 149 2GB I usually elect to NOT allocate the disk space and to store the disk as a single file NB You will need to use a file system NTFS which can support large file sizes if storing as a single file FAT32 drives have a 4GB file size limitation and you will need to Split the disk into multiple files if using a FAT32 storage drive on your Host system Copyright 2005 2012 Michael A Penhallurick MSc 60 Add Hardware Wizard Specify Disk File Where would you like to store the disk file Disk file This virtual disk file will store the configuration details of the physical disk Clone of New Virtual Machine vmdk T Specify the name of the new disk and click Finish Disk file
50. h VEC2 Retail Install Organize v e Open Burn New folder 3r Favorites Name f Date modified Type BE Desktop 9 MIP Setup 4 5 9 853 29 Qc 033 nn cc Ji Downloads 9 VFC2 Setup Im 0o E Recent Places VMware vix disklib 5 0 0 427917 386 yp Run as administrator 5 VMware workstation full 8 0 2 591240 25 0 Troubleshoot compatibility 153 Libraries Scan with Microsoft Security Essentials Documents mendes a Music i Pictures B Video pus Cut Create shortcut JE Computer Delete Rename hi Network Properties Ld MIP Setup 4 5 9 853 Date modified 29 06 2011 08 55 Date created 30 01 2012 10 33 Application Size 12 0 MB In Windows Explorer navigate to the location where you have saved the installation files right click on the MIP Setup 4 5 9 853 exe file or whichever version you have access to and select Run as administrator Please note that earlier versions of this application are not guaranteed to work with VFC and as such are unsupported e sS Welcome to the Mount Image Pro Setup Wizard This will install Mount Image Pra v4 5 3 853 an your computer It is recommended that you clase all other applications before continuing Click Next to continue or Cancel to exit Setup HM Copyright 2005 2012 Michael A Penhallurick MSc 27 Click Next to continue js setup Mount Image Pro License Agreement Please read the Following important information before continuing Please r
51. ht 2005 2012 Michael A Penhallurick MSc 28 B setup Mount Image Pra Select Start Menu Folder Where should Setup place the program s shortcuts z Setup will create the program s shortcuts in Ehe Following Start Menu Folder To continue click Nest IF you would like to select a different folder click Browse aunt Image Pra v4 Browse Don t create a Start Menu Folder lt Back met canai You can either accept the default Start Menu folder recommended or change the name of this folder and click Next ie setup Mount Image Pra Select Additional Tasks Which additional tasks should be performed Select the additional tasks veu would like Setup to perform while installing Mount Image Pro then click Nest Additional icons IW Create a Quick Launch icon lt Back IL tet gt Cancel Select or deselect the options to create Desktop and Quick Launch icons Click Next to proceed Copyright 2005 2012 Michael A Penhallurick MSc 29 is setup Mount Image Pra Ready to Install Setup is now ready to begin installing Mount Image Pro on your computer Click Install to continue with Ehe installation or click Back if you want to review or change any settings Destination location C Program Files x86 GetDatalMount Image Pro v4 Start Menu Folder Mount Image Pro v4 Additional tasks Additional icons Create a desktop icon Create a Quick Launch icon ie setup
52. i hidden data between MBR 1st sector i e 512 bytes and ist partition which might be us i w tool bu da of tmp ocs_onthef ly local KBjdFM src hidden data img skip 1 bs 512 count 62 in 52 0 records out 31744 bytes 32 kB copied 0 00181067 s 17 5 MB s bolololototetetetetototetetotototototototok ORKOKORKORKORORKORKORKOKOREOREOFOFOFOFOROOROROROROROK Collecting partition in Clete Collecting partition dev sda2 info Non grub boot loac found on tmp ocs onthef ly CHS value of hard drive from EDD will be us 336 467557 BIOS EDD f e devices found of dey Excluding busy partition or t Unmouted partitions including extended or swap Collecting info done DOK OK OK OK HOOK OOK AOKI AIO AIO AIO IO OOO ECO OOK OOK OK CHOKE OOK BOE OEOEO EOEOEO EOEOEOEOEOEOGREOEO EOEOEOEOEOEGEOEOEOREOEO EOEOEOEOEOEOGEO AEOSKC SOKOK OOK HOKOK OK OOK x Are you sure you want to continue You will be prompted multiple times to make sure you are sure you want to continue Press y then Enter to continue Copyright 2005 2012 Michael A Penhallurick MSc 68 Sav ist i e 512 bytes and 1st partition which might be us ful for some recovery tool by dd if dev sda of tmp ocs onthef 1u local KBjdFM src hidden data img skip 1 bs 512 count 62 624 0 records in 524 0 records out 31744 bytes 32 kB copied 0 00181067 s 17 5 MB s HEE OC ER HE Collecting partition de al info Collecting partition dev sdaz Non grub boot loade
53. ically creates restore points called system checkpoints but you can also use System Restore to create your own restore points This is useful if you are about to make a major change to your system such as installing a new program or changing your registry System Restore Settings To continue select an option and then click Next ss Start System Restore To direct input to this VM click inside or press Ctrl G To begin select the task that you want to perform OR Create a restore point EN amp JS QQRAaDI 22 35 54 id Copyright 2005 2012 Michael A Penhallurick MSc 49 n Ir VFC New Virtual Machine VMware Workstation TUBE File Edit View VM Team Windows Help Bi NDA GAA DE oroa Gg C VFC New Virtual Machine My Computer t System Restore Recyde Bin Select a Restore Point ZIED FXD Player The following calendar displays in bold all of the dates that have restore points available The list displays the restore points that are available for the selected date j Possible types of restore points are system checkpoints scheduled restore points created by your computer pma manual restore points restore points created by you and installation restore points automatic restore points Choice created when certain programs are installed Kv 1 On this calendar click a bold date 2 On this list click a restore point Google July 2010 E 12 July 20
54. ill be necessary in order to obviate this requirement Duplicate VFC VM using disk copy method A legacy process initially used during the development of The VFC Method is the utilisation of a third party disk cloning application such as Norton Ghost or the freely available Clonezilla in order to create a full disk copy of the live data of the subject system This copy can be subsequently preserved and protected by using snapshots such that the resultant VM can be successfully reverted to it s initial VFC state if required By using a disk cloning application and utilising the sparse disk feature of VMware vmdk files the actual disk space used is or can be considerably smaller than the Original disk capacity as only live data is selected for copying Deleted files and unallocated disk space are ignored resulting in a much smaller yet still accurate representation of the user system as all relevant system and user files including those in the Recycle Bin are available Copyright 2005 2012 Michael A Penhallurick MSc 56 The downside of this method is that it can be a quite time consuming process to copy the disk data however in those instances where a generated VFC VM is required to be run independently of forensic images and access to mounting utilities such as MIP this method can be implemented The following screenshots depict the process by which a new suitably sized sparse disk is created and added to the VFC VM using V
55. ime Dongle Expiry Date 19 06 2013 Product ID 76487 OEM 0011903 00101 CD Kev K 6860 2MD F69 12BQ License Status 502 days remaining Generate YFC YM Open Existing YM Launch vM Created Written and Developed by Michael A Penhallurick 2005 2011 Once the analysis has been completed you have the option of changing the Virtual Machine Name default New Virtual Machine and the Virtual Disk Name default New Virtual Disk These values should be typically adjusted to reflect the details of the forensic image under investigation e g Coakley PC HDDO When all relevant data has been entered and analysed the Generate VFC VM button will become active and the requisite files can be created along with the application of any necessary system patches A successful generation will result in the creation of those files necessary to enable the subject mounted disk image to be booted in a VMware virtual environment This can be achieved by using the Launch button located at the lower right of the main dialog screen Copyright 2005 2012 Michael A Penhallurick MSc 40 Alternatively the machine can be launched manually typically by either double clicking the generated vmx file via Windows Explorer or by starting the VMware application and using the various options to Open a Virtual Machine Les E em Pe uu Import or Export Import Windows AP Mode VM Connect to ACE Management Server Close Ctrl W Ma
56. ion n Games send to i Maintenance op Cut JD Startup Copy hr uh T T E PERF FPES Mere Virtual Foren OP PLT iG Delete ATT al Forensic Comp Rename Properties ik Dongle Driver Lic nager amp Virtual Forensic Computing on tl plea ana Sub part E 4 Back Windows Security Search programs and files Dp mE Right click on the appropriate Start Menu shortcut and select Run as administrator Copyright 2005 2012 Michael A Penhallurick MSc 11 KETLOK Security Key Installation Dongle Type Select ane ar more Dongle Types USB Dongle Parallel Part Dongle Fortress Dongle Installation Type f Standalone Client Server Uninstall Command Line Options Select USB Dongle KEYLOR Security Kev Installation Dongle Type Select one ar mare Dongle Types i USE Dongle VEC Dongle Driver Install Please da NOT attach USB Dongle until the installation is completed B zs Begin Install Command Line Dptions Exit Click OK then click Begin Install Copyright 2005 2012 Michael A Penhallurick MSc Device Driver Installation Wizard Welcome to the Device Driver Installation Wizard This wizard helps you install the software drivers that some computers devices need in order to work To continue click Nest Click Next Windows Security Would you like to install this device software Mame KEYLOK Publisher Microcomputer
57. k SCSI y CD DVD IDE lal Floppy USB Controller di Sound Card Display 2 0 GB 1 149 2 GB Using file X SOURCEWilities Using file vfc_floppy fp Present Auto detect Auto detect Copyright 2005 2012 Michael A Penhallurick MSc Disk file New Virtual Disk 000002 vmdk Capacity Current size 1 5 GB System free 17134 4 TB Maximum size 149 2 GB Disk information Disk space is not preallocated for this hard disk Hard disk contents are stored in multiple files Memory Specify the amount of memory allocated to this virtual machine The memory size must be a multiple of 4 MB Memory for this virtual machine 2016 MB 64 GB i2 GB 16 GB E GB Maximum recommended memory 4GB Memory swapping may 25B occur beyond this size 1GB 6044 MB 512 MB 256 MB 178 MB 64 MB Guest 05 recommended minimum 32 MB 128 MB E Recommended memory 512 MB and use the You now need to take a snapshot of the system so that the initial state can be preserved if required If using VMware Workstation simply use the menu option VM gt Snapshot gt Take snapshot to create the snapshot of the system This can be used at a later stage via workstation to revert the machine back to this initial state if required i VEC ne Viel Mechne Wesce Wt RE File Edit View VM Jabs Hep gt I GB 3 1 55 d II ex X S c3 Power Removable Devices gt Home x Pause Ctrl Shift P Send Ctrl Alt Del Ei
58. ler VGA Compatible If your hardware came with an installation CD lt gt or floppy disk insert it now What do you want the wizard to do 9 Install the software automatically Recommended Q Install from a list g Click 1 ick Next to continue Your audio hardware configuration has changed You must re install SoundMAX Start Ml Found New Hardware SoundMAX NAN To direct input to this VM click inside or press Ctrl G m H A 3 3 lid Copyright 2005 2012 Michael A Penhallurick MSc 46 VMware Tools Installation A typical installation of VMware Tools will provide enhanced graphic control by utilising the VMware SVGA driver as well as better mouse control and the ability to drag and drop between Host and Guest and vice versa Whilst the installation of the VMware Tools is described as vital by VMware and indeed is required for both enhanced user interaction and to most accurately re create the original environment it should be noted that the installation procedure will most likely generate a System Restore Point event Equally if rewinding the machine to an earlier point using System Restore functionality this will effectively remove the installed Tools from the system and they will need to be installed again VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Hep Bi NDA GAR DE oclo s Ee E VFC New Virtual Machine SE My Computer
59. nd international treaties Cancel Click Next to continue Copyright 1998 2010 Y WIware Inc All rights reserved This product is protected by U 5 and international copyright and intellectual property laws VIvTware products are covered by one or more U 8 Patent Numbers 6 075 958 6 397 242 6 496 84 7 6 704 925 8 711 672 6 725 289 6 755 601 6 785 586 6 789 156 6 735 966 6 85D 022 6 944 699 6 961 606 6 961 941 408529413 7052 598 0859 377 7111 0886 111 145 5117481 7 143 845 155 556 Lz2zz21 AZ60 815 2260 620 269 683 275 136 7 277 998 hee AOS LZ 78030 261 102 75 290 253 7 343 592 75356 6778 7409 487 AH412492 7412 702 7424 710 74285 6356 1 433 251 7434 002 7 44 7 854 24 75 002 4 78 173 14 75 180 74 75 218 74 78 383 7484 208 49 7313 InstallShield The End User Patent Agreement will be displayed Click Next to continue Copyright 2005 2012 Michael A Penhallurick MSc 23 License Agreement Please read the Following licens VIware Virtual Disk Developer Kit License Agreement V iIware Inc ViIware provides this Virtual Disk Developer Kit the VDDE to you subject to the following terms and conditions If you disagree with any of the following terms then do not use this VDDE l This VDDE contams a variety of materials includmg but not limited to interface defirutions documentation and sample code regarding programming interface
60. new partition table ne partition table sd 1 0 1 0 sdb Cache data unavailable sd 1 0 1 0 sdb Assuming drive cache write through sdb sdbi sdbe D zero the first 512 bytes dd if dev zero of dev foo bs 512 count 1 See fdisk 8 This is done by sfdisk force C 19476 H 255 S 63 dev sdb lt tmp ocs onthef lu local KBjdFM tgt Ae sta Informing the OS that partition table has F you created or changed a DOS partition dev foo say then use dd 1 sd 1 0 1 0 sdb Cache data un able cssc ache write through sdb sdbi sdb ntegrity of partition table in the disk dev sdb e at 63 LU dst sector i e 512 bytes and ist partition which might be y tool by s onthef ly_local KBjdFM tgt hidden data img of dev sdb seek 1 bs 512 count 62 One last check to make sure we really want to do this Press y then Enter to continue Partclone The cloning process will start and may take some considerable time Copyright 2005 2012 Michael A Penhallurick MSc 70 New volume size 3 jut 10364 MB Nothing to do NTFS volume size is already OK HEA CK CKO OKO COCO ACK ACOH Creating the swap partition if exists HK OCC CORO HCOOH OK CORK 1g to remove udev hardware record in the restored OS pecific dest ination disk is sdb ying to remo udev persistent files ching in devices KOCK AICCCR ACHR Run grub install on disk sdb 9 directory is NOT found Maybe it does not exist
61. new settings will take effect Renamed files fold Do you want to restart your computer now To direct input to this VM click inside or press Ctrl G py B New Virtual Machine VMware Workstation PN File Edit View VM Team Windows Help ab ta mE Elm E VFC New Virtual Machine F hata T System Restore o Restoration Complete Your computer has been successfully restored to 12 July 2010 Installed iTunes If this restoration does not correct the problem you can e Choose another restore point e Undo this restoration Some folders were renamed to preserve their files To view the list of renamed folders click the link below Renamed files folders To direct input to this VM click inside or press Ctrl G Copyright 2005 2012 Michael A Penhallurick MSc 54 r m VFC New Virtual Machine VMware Workstation _ O d IEE SS File Edit View VM Team Windows Help WW gt A l3 F1 E3 E d p VFC New Virtual Machine A LimeWire 5 5 14 M WebEx Player nD WebEx Recorder Ji start To direct input to this VM click inside or press Ctrl G m VFC New Virtual Machine VMware Workstation P amp fr TAB d e File Edit View VM Team Windows Hep Mf DJA t Gil Deap p VFC New Virtual Machine Browser Choice EXD Player WebEx Player m WebEx Recorder Recyde Bin To direct input to this
62. nto a virtual environment Whilst there may be some limitations particularly with screen resolution and OEM hardware devices the user can then interrogate and interact with the virtualised system in as close an approximation to the original as is possible Copyright 2005 2012 Michael A Penhallurick MSc 4 If a logon password is required but not known the machine can be suspended and the VFC Password Bypass routine can be utilised Windows Only If there are system restore points available the in built Windows System Restore feature can be used to rewind the VFC VM to an earlier date In so doing this will undo necessary changes that the initial generation has implemented and the system will fail to boot from a restored session This is expected behaviour Simply power off the VFC VM and utilise the Restore Point Forensics feature to re inject the necessary system drivers and thus enable a successful boot to the required System Restore Point Copyright 2005 2012 Michael A Penhallurick MSc 5 Installation of VFC and associated applications VFC has been developed in order to automate and expedite the steps required to implement The VFC Method of creating a functional working VMware Virtual Machine VM primarily from a mounted Expert Witness Format EWF file As the above indicates one of the required components of this methodology is access to and use of the VMware Virtualisation platform The recommended platform is VMw
63. ongle drivers If you have a white VFC dongle this is driverless and should function without issue The Dongle Drivers are also required in order to use the VFC License Manager application used to refresh the Dongle data upon renewal of a subscription If you attempt to run VFC without a dongle or with a green dongle and the dongle drivers have not been installed you will see the following error message Copyright 2005 2012 Michael A Penhallurick MSc 10 WFC 2 11 11 11 Please check the following L Make sure your dongle is securely attached to your computer 4 Make sure the dongle drivers have been carrectly installed 3 Use the WFC License Manager to update refresh your dangle If you are still experiencing problems please contact VFC Support The VFC Dongle drivers can be located via the Start Menu All Programs in the support sub folder of Virtual Forensic Computing You must remove the dongle from the Host machine prior to installing the dongle drivers a Desktop Gadget Gallery fem a Internet Explorer 64 bit Open I a Internet Explorer Iam eI arity Essentials Run as administrator Iv l ERR Troubleshoot compatibili a dows DWO Maker i y ass Windows Fax and Scan e Windonws Medis ente scan with Microsoft Security Essentials Windows Media Player Pin to Taskbar B8 Windows Update Pin to Start Menu x amp XPS Viewer l Restore previous versions m Accessories Qpen file locat
64. operties Parameter Id Active Location Capacity File System Mounted Drives 0 MIP64 Driver ver 4 6 56 0 installed service is running MIP64 FileSys Driver ver 2 5 51 126 installed Once the image has been successfully mounted the mounting application can be minimised as no further direct interaction is required NB If using either Encase PDE or the FTK Imager mount function closing either of these applications will cause the image to dismount The MIP GUI can be closed but will minimise the application to the system tray whilst maintaining the mounted status of the image Copyright 2005 2012 Michael A Penhallurick MSc 34 r m Mount Image Pro v4 59 853 Evaluation Version cl t VS File Options Help d Mount a Unmount Q View Tf Options Update Help Mounted Images Filename Files Partition As Label File System Date amp quired Examiner Case No Evidence No Acquiring Program Description Mount Image Pro v4 LQ Mounting f Progress eem Image Details Filename Image Properties Partitions Eirsristesu has Id Active Location Capacity File System Mounted Drives 0 MIP64 Driver ver 4 6 56 0 installed service is running MIP64 FileSys Driver ver 2 5 51 126 installed m Mount Image Pro v4 59 853 Evaluation Version Lo JL JL SS File Options Help d Mount a Unmount Q view O
65. p or Disconnect Virtual Disks Add to Favorites Exit Welcome to VMware Player Create a New Virtual Machine Create a new virtual machine which will then be added to the top of your library Open a Virtual Machine Open an existing virtual machine which will then be added to the top of your library Download a Virtual Appliance Download a virtual appliance from the marketplace You can then open it in VMware Player Help View VMware Player s help contents Copyright 2005 2012 Michael A Penhallurick MSc 41 Once the Virtual Machine has been manually opened it will be necessary to Power On the virtual machine im VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Help a DIA t i Gh 3i E i HE ae 1 d VFC New Virtual Machine PhoenixBIO0S 4 0 Release 6 0 Copyright 1985 2001 Phoenix Technologies Ltd ser at aa vmware Copyright 2000 2009 UMuare Inc UMuare BIOS build 315 ATAPI CD ROM UMuare Virtual IDE CDROM Drive Mouse initialized Press F2 to enter SETUP F12 for Network Boot ESC for Boot Menu To direct input to this VM click inside or press Ctrl G During the boot process VMware displays options to access Setup F2 Network Boot F12 or the Boot Menu Esc By default VFC does not add any network connectivity The default boot order is Floppy Disk Hard Disk then CD ROM Typically the Boot Menu will need to be accessed in ci
66. ptions Update Help Mounted Images Filename Files Partition As Label File System Date Aquired Examiner BA G WFC DEMONE vidence Files VFC_DEMO E01 0 0 PHYSICALDRIVE 4 Physical 06 04 2011 11 46 54 Michael Penhall 4 li A d Image Details Filename Image Properties Partitions NEN PPS Id Active Location Capacity File System Mounted Drives 1 MIP64 Driver ver 4 6 56 0 installed service is running MIP64 FileSys Driver ver 2 5 51 126 installed As can be seen from the above the VFC DEMO E01 image has been mounted as PHYSICALDRIVE4 and is now available to the system From this point the MIP GUI is no longer directly required by VFC and can be minimised Copyright 2005 2012 Michael A Penhallurick MSc 35 Select Source Device Mounted Hard Disk Ne VEC 2 111111 bo mm About Guest Operating System Microsoft Windows Y Version Autodetect v V Auta Analyse Partitions Quick Instructions Virtual Machine Name vmx assumed Select Physical Disk or Disk Image New Virtual Machine gt Override OS and version if required Virtual Disk Name vmdk assumed New Virtual Disk gt Select partition Windows systems will Auto Analyse if option is selected Adjust Virtual Machine and Virtual Machine names as required Options Clear Log File View Lag File gt Generate VFC YM Dongle Serial 01163 gt Laun
67. quickly navigate to the first sector of the disk the first sector of any identified partitions or to any selected sector on the disk View Sectors Partition MER Offset 0 Cyls Heads SPT BPS Sector View ngaagaaguguu oo00000010 ngagaganzu OOOO000030 OOOOO000040 oOo000000050 OOOO000080 OOOO000070 OOOO000080 oo00000090 OOOO0000A0 OOOO0000B80 OOOOO000CO oo000000D0 OOOO0000E0 OOOO0000FO OOOO000100 o000000110 OOOO000120 OOOO000130 oo00000140 o000000150 OOOO000160 OOOO000170 oOo00000180 OOOO000190 OOOO0001A0 OOOO0001B0 OOO000001CO OOO00001D0 OOOO0001E0 OOOO0001FO Copyright 2005 2012 Michael A Penhallurick MSc IY p pxM zs pad BE 2 I A 4 b uas At 6414 UE i 8m t Te vu f RECOIfA scb r9 5 aiDan o L BEE pE t z t 58 u Iil Ii 8b tQ itMp c F H lolol fa ki I Gtz 96 oy t D0 b x 61 TEA Tue u selit30exyt ttcpf Aont 39 usi 4016 6 COIT AEp e y 1 rt ulu ie l eubo p t E IVE amp E308 z Cetbhi6t u Em cM eI E2 E1L E3 Pres Fii for Recove ry L PL s ee SE Cee a te y bygO l iY4 Select Partition Once the required physical drive has been selected the available partitions along with capacity file system and status will be displayed on the main dialog screen YEE VEC 2 11 11 11 fcn I wf amp c Virtual Forensic Comp
68. r change the installation location and click Next VMware Workstation Setup Destination Folder Click Next to install to this folder or click Change to install to a different folder 3E Install VMware Workstation to pr C Program Files x86 VMware Mware Workstation Cancel Check for product updates can be disabled if using a non Internet connected Host System VMware Workstation Setup Software Updates When would you like to check for updates of your software W Check for product updates on startup When VMware Workstation starts check for new versions of the application and installed software components Learn More Cancel Click Next to continue Copyright 2005 2012 Michael A Penhallurick MSc 18 VMware Workstation Setup User Experience Improvement Program Would you like to send feedback to vMware J Help improve VMware Workstation Send anonymous system data and usage statistics to VMware Learn More Cancel Sending system and usage data can be disabled if required Click Next to continue Wiiware Workstation Setup Shortcuts Select the shortcuts you wish to place on your system Create shortcuts for VMware Workstation in the following places 4 Desktop 4 Start Menu Programs folder Cancel Default options for creating shortcuts on desktop and Start menu are enabled but can be disabled if required Click Next to continue Copyright 20
69. r found on tmp ocs onthef lu local KBjdFM sdb mbr The value of hard drive from EDD will be used for sfdisk 336 467557 BIOS EDD facility v0 16 2004 Jun 25 2 devices found of dev sdb from EDD 255 63 ching for data partition s Excluding busy partition or disk Unmouted partitions including extended or swap Collecting info done WARNING WARNING WARNING WARNING THE EXISTING DATA IN THIS HARDDISK PARTITION S WILL BE OVERWRITTEN ALL EXISTING DATA WILL BE LOST sdb KCC ACCOR ACCOR ACCOR ACRCHCHOKKACHOHOKOK AK Machine VMware Virtual Platform Sdb 160 S_No_disk_serial_no HEIKKI OK KKK CKO ACO ACK HK Are you sure you want to continue y n y DK let s do it KORO KACO AKAROA ARORA AOE Mill create the partition on the target machine Let me ask you again KKK EKO OK KOCH OHO ORK Machine VMware Virtual Platform sdb 160 2GB_VMware_Virtual_S_No_disk_serial_no KCOKCKCKCOKCCKCOKCCOKCKCCKCHOKCOKCOKCGKOK OK ACOA CK ACCOR KOK HCO KOKOKOK OK WARNING WARNING WARNING WARNING THE EXISTING DATA IN THIS HARDDISK PARTITION S HILL BE OVERWRITTEN ALL EXISTING DATA WILL BE LOST sdb Are uou sure you want to continue y n t In case you change your mind you can abandon the cloning now Since we should really know what we are doing press y then Enter to continue Device Boot Start S d Syst sdb 63 B 2 2 HPFS NTFS exFRT 92334805 lt 20241900 HPFS NTFS exFAT Q Q J Empty
70. r the inconvenience but Windows did not start successfully A recent hardware or software change might have caused this If your computer stopped responding restarted unexpectedly or was automatically shut down to protect your files and folders choose Last Known Good Configuration to revert to the most recent settings that worked If a previous startup attempt was interrupted due to a power failure or because the Power or Reset button was pressed or if you aren t sure what caused the problem choose Start Windows Normally Safe Mode Safe Mode with Networking Safe Mode with Command Prompt Last Known Good Configuration your most recent settings that worked Start Windows Normally Use the up and down arrow keys to move the highlight to your choice Seconds until Windows starts 27 To direct input to this VM click inside or press Ctrl G Power off and close rather than suspend the Virtual Machine Copyright 2005 2012 Michael A Penhallurick MSc 51 a VFC New Virtual Machine VMware Workstation E VFC New Virtual Machine automatical Good Configt Start Windows Normally Seconds until Windows starts We apologize for the inconvenience recent hardware or software change might have caused this If your computer stopped responding 26 Do not show this message again restarted unexpectedly File Edit View VM Team Windows Help n gt Bap mE E Gm rt dg o but Windows di
71. rcumstances whereby the user wishes to boot from a CD or an attached ISO image In order to access any of the boot options via the available boot keys it is first necessary to give focus to the VMware application Once you power on the virtual machine move the mouse to a point inside the VMware boot screen and left click until the mouse cursor disappears At this point access to the virtual keyboard will be enabled and pressing the Esc key will display the Boot Menu VFC will set the boot delay to 3 seconds 3000 milliseconds to allow easier access to the boot menu This value can be manually increased further by editing the generated vmx file and adjusting the value for bios bootDelay To allow a 10 second delay set this value to 10000 Copyright 2005 2012 Michael A Penhallurick MSc 42 r File Edit View VM Team Windows Help 10 b Gal H1 E3 E Ge Pr E Bg p VFC New Virtual Machine To direct input to this VM click inside or press Ctrl G Once the desired boot option has been selected or automatically if the boot menu is not accessed the boot process will continue and either the logon screen will be displayed or if the user account has not been password protected the desktop will be displayed File Edit View VM Team Windows Help upe tma mtus fez B i p VFC New Virtual Machine Microsoft m Windows Copyright Microsoft Corporation To direct input
72. rites RE Desktop B MIP Setup 4 5 9 853 Jg Downloads jB vFC2 Setup Date modified Type 29 06 2011 08 55 Application 11 11 2011 08 49 Application i Recent Places Bl viMware vix disklib 5 0 0 427917 1386 15 VMware workstation full 8 0 2 591240 Libraries E Documents 2 Music b Pictures B video Open Run as administrator Troubleshoot compatibility Scan with Microsoft Security Essentials Send to Cut Copy JE Computer Create shortcut th Network Delete Rename Properties E VMware vix disklib 5 0 0 427917 1386 Date modified 30 08 2011 12 03 Date created 30 01 2012 10 34 Application Size 37 9 MB In Windows Explorer navigate to the location where you have saved the installation files right click on the VMware vix disklib 5 0 0 427917 i386 exe file or whichever version you have access to and select Run as administrator Please note that earlier versions of this application are not guaranteed to work with VFC as expected and as such are unsupported Copyright 2005 2012 Michael A Penhallurick MSc 22 Welcome to the installer for klware Virtual Disk Development Kit The installer will install VMware Virtual Disk Development Kit an vour computer Ta continue click Next i BERE E E SER RRR EE Seaeeeteseces STTTETTTII Be a EOE Fiii BEN A Em P mE E Nm P PESEILERILBRS gg EE imi i E Im BEBE EBB BEES WARNING This programm is probected by copyright law a
73. s to one or more VMware products as referenced in such materials 7 Ido not accept the terms in the license agreement InstallShield The End User License Agreement will be displayed Accept the terms and Click Next to continue Install YMware Virtual Disk Development Kit Eo C Program Files x66 MwareyMware Virtual Disk Development Kit InstallShield You can either accept the default installation folder recommended or change the installation location and click Next Copyright 2005 2012 Michael A Penhallurick MSc 24 The wizard is ready to bi Click Install Ea begin the installation or Cancel to exit the wizard IF vou want bo review or change any of your installation settings click Back Click Cancel to exit the wizard InstallShield Click Install to begin the installation process Please wait while the installer installs Mware Virtual Disk Development Kit This may take several minutes Status p InstallShield The installation may take several minutes Copyright 2005 2012 Michael A Penhallurick MSc 25 Installer Completed The installer has successfully installed VMware Virtual Disk Development Kit Click Finish to exit the wizard at Cancel Click Finish to exit the installation wizard Copyright 2005 2012 Michael A Penhallurick MSc 26 Installation of Mount Image Pro QU gt Computer 32GB USB F VFC2 Retail Install v 44 Searc
74. so other boot manager system is not supported in the kernel Skip running grub install KOKORO KACO ACOH COOKE Try to run partclone ntfsfixboot for NTFS boot partition if it exists Scanning Found NTFS boot partition among the restored partition s dev sdb Head and no of dev sdb from EDD 255 63 The start of NTFS partition dev sdbi 63 Adjust filesystem geometry for the NTFS partition Running partclone ntfsfixboot w h 255 t 63 s ntfsfixboot version 1 0 done KOO COOK ACOA KK KE KKK OOK COOK RCH If you want to use Clonezilla again Stay in this console console 1 enter command line prompt Run command exit or logout HEH KK OE KOCK ACK OKO ACK exists or the file partition s sdb When everything is done remember to use poueroff reboot or follow the menu to do a normal powe roff reboot pro edure theruise if the boot media you are using is a writable device such as USB f lash drive and it s mounted poweroff reboot in abnormal procedure might make time PORRO NOR OR PRODR OR PORNO ORO HORNO RON RONNON a KKK IKKE KC KEK KEK KCK OKC Run grub install on disk sdb directory is NOT found Maybe it does not exist so other boot manager system is not supported in the kernel Skip running grub install KCCI AOAC AHO Try to run partclone ntfsfixboot for NTFS boot partition if it exists Scanning Found NTFS boot partition among the restored partition no on 55 Head and of
75. store function to rewind the machine to an earlier date During the Reboot stage the system WILL mo error This is expected behaviour When this happens Power Off the VM then us VM disk and partition Once selected apply the appropriate patches 1 You will need to re install VMware Tools and nj D VFC DEMO YVFCWew Virtual Machine vmx New Virtual Disk 000002 vmdk Volume 1 142742 MB HPFS NTFS Written and Developed by Michael A Penhallurick 2005 2010 Ex When the machine has been patched you can launch the Virtual Machine and continue the restoration process NB A full restoration to an available restore point may take some considerable time When the system completes its boot sequence you may again experience alert messages relating to hardware devices including requests to restart the computer for new devices to take effect Copyright 2005 2012 Michael A Penhallurick MSc 53 File Edit View VM Team Windows Help ab ta mE E Gm d i cp VFC New Virtual Machine RACER g System Restore v Restoration Complete Your computer has been successfully restored to 12 July 2010 Installed iTunes If this restoration does not correct the problem you can e Choose another restore point 2 Windows has finished installing new devices The software that supports your device Some folders were requires that you restart your computer You must restart your computer before the
76. ter Generic SCSI Device Copyright 2005 2012 Michael A Penhallurick MSc 58 Add Hardware Wizard Select a Disk Which disk do you want to use A virtual disk is composed of one or more files on the host file system which will appear as a single hard disk to the quest operating system Virtual disks can easily be copied or moved on the same host or between hosts Use an existing virtual disk Choose this option to reuse a previously configured disk O Use a physical disk for advanced users Choose this option to give the virtual machine direct access to a local hard disk i conc The default option is to Create a new virtual disk so just click Next Add Hardware Wizard meg Select a Disk Type What kind of disk do you want to create Virtual disk type L Independent Independent disks are not affected by snapshots Persistent Monpersistent inges I ci Cana Select the appropriate Virtual disk type if your VFC VM is using SCSI disks then select SCSI here You can ignore the disk mode at this stage Copyright 2005 2012 Michael A Penhallurick MSc 59 Add Hardware Wizard Specify Disk Capacity How large do you want this disk to be Maximum disk size GB 149 2 Recommended size for Windows XP Professional 40 GB Allocate all disk space now Allocating the full capacity can enhance performance but requires all of the physical disk space to be available ri
77. tion where you have saved the installation files right click on the VMware workstation full 8 0 2 591240 exe file or whichever version you have access to and select Run as administrator VMware Workstation Setup vmware VMware Workstation 8 Now Loading micros 1 cab Copyright 21968 2012 VMware Inc All rights reserved This product t protected Gy U5 and Intemational capyright and Intellectual property laws Wiviware products are covered by one or more patents fisted at http eww inar e com ga patents Copyright 2005 2012 Michael A Penhallurick MSc 16 There should be little need to answer any of the installation prompts with other than Next VMware Workstation Setup Welcome to the installation wizard for VMware Workstation The installation wizard will install VMware Workstation on your computer To continue click Next WARNING This programis protected by copyright law and international treaties VMware Workstation 8 A typical installation of workstation should suffice Click Next to proceed VMware Workstation Setup setup Type Choose the setup type that best suits your needs Typical Typical program features will be installed Custom Choose which program features you want installed and where they will be installed Recommended for advanced users Cancel Copyright 2005 2012 Michael A Penhallurick MSc 17 Either accept the default installation folder recommended o
78. user accounts When Password Bypass has been applied access will be available to any relevant user profile present on the system On occasion VFC may be unable to successfully patch the virtual memory to enable a password bypass In these instances VFC can extract relevant system information which is encrypted into a VFC2 PWB file for return to the author such that additional research can be undertaken No user identifiable information is stored within the PWB file Copyright 2005 2012 Michael A Penhallurick MSc 45 Once you have successfully accessed the desired account the installed OS will begin to identify new hardware that is detected as a result of the transition to a virtual environment as well as identifying that expected hardware is no longer available You will most likely experience a number of message boxes indicating that driver files are being updated installed It is likely that certain drivers may not be immediately available such as the Video Controller VGA Compatible Some drivers will become available after the installation of the VMware Tools package others e g Sound on Windows Vista may require additional manual intervention VFC New Virtual Machine VMware Workstation File Edit View VM Team Windows Hep i NDA i GR Dallas 8s JC VFC New Virtual Machine A My Found New Hardware Wizard Welcome to the Found New Hardware Wizard This wizard helps you install software for Video Control
79. uting l VEC Main Modify Hardware Restore Points Password Bypass About APhysicalDrive4 LBA 312581808 CHS 19458 255 6 Guest Operating System Volume 1 142741 Mb NTFS Bootable zu Volume 2 9883 Mb NTFS Microsoft Windows Unused space at end of disk 2 Mb Version Autodetect Y v Auto Analyse Partitions Virtual Machine Name vmx assumed New Virtual Machine Virtual Disk Name vmdk assumed New Virtual Disk Options Clear Log File View Log File Dongle Serial 01163 Dongle Expiry Date 19 06 2013 License Status 499 days remaining Open Existing VM Created Written and Developed by Michael 4 Penhallurick 2005 2011 You will now need to select the appropriate boot partition The boot partition will typically be the partition marked Bootable but it should be noted that on systems such as Windows Vista and above the boot partition may actually be the second volume listed The same would also be true for multi boot systems where the OS required to be VFC d is on a different partition than the boot code for the drive If the Auto Analyse Partitions check box is selected selecting any of the available partitions will lead to an attempt to auto detect the installed Windows OS version This analysis will also try to extract relevant information relating to the installed Windows OS version which will then be displayed in th
80. w Virtual Machine vmx 3 KB lE New Virtual Machine Snapshotl msn 11 KB m New Virtual Machine Snapshot2 vmsn 11 KB IE New Virtual Machine Snapshot3 vmsn 20 KB Note that the Clone of New Virtual Machine vmdk only occupies 27 9GB of disk space even though it is capable of increasing in size to the full 149 2GB capacity The Clone of New Virtual Machine 000001 vmdk is the snapshot file that was created to preserve the state of the original cloned disk Subsequent disk writes will be captured in this snapshot file and can be discarded if desired by using the Revert to Snapshot function of VMware Workstation Copyright 2005 2012 Michael A Penhallurick MSc 75 Known Issues amp Troubleshooting Cannot open the disk Cannot open the disk D WFC DEMOYFC Mew Virtual Disk 000002 vmdk or one of the snapshot disks it depends on Reason The parent virtual disk has been modified since the child was created There may be occasions when the VFC generation appears to function seamlessly yet a message similar to that displayed above is encountered when starting the machine This issue is caused by an inconsistency in the time stamps of the generated virtual disk cache files and has been found to occur most often when Windows Explorer is open during the generation process This is believed to cause an issue with cleanly dismounting the disk cache via vmware mount There are several methods to resolve this issue if it is encountere
Download Pdf Manuals
Related Search