ForensicVM is a comprehensive project designed to assist forensic investigators in the virtualization of forensic images. By utilizing advanced technologies and tools, ForensicVM simplifies the process of analyzing and examining digital evidence in a virtualized environment.
The project consists of two essential components: the ForensicVM client, which is an Autopsy plugin, and the ForensicVM server. These components work seamlessly together to provide a powerful and efficient forensic virtualization solution.
The ForensicVM server, developed using Django and Python, serves as the backbone of the system. It is recommended to install the server on Debian 11, which in turn should be set up on a dedicated bare metal server. This configuration ensures optimal performance and stability for your forensic investigations.
Please note that installing the ForensicVM server on a hypervisor is not recommended. The ForensicVM server itself acts as the hypervisor, and running it within a nested setup may result in unpredictable behavior and performance issues. To maintain the integrity and reliability of your forensic analysis, it is advised to adhere to the recommended server installation setup.
To get started with ForensicVM, your first step is to install the server. For detailed instructions, please refer to the installation section, where you will find step-by-step guidance on setting up the server environment correctly.
Once the server is up and running, you can explore the various capabilities and features of ForensicVM by diving into the usage section. This section provides comprehensive information on how to make the most out of the project, including tips, best practices, and real-world scenarios.
Additionally, if you require a deeper understanding of the technical aspects and functionalities of ForensicVM, check in the addional tForensicVM server in api section. It offers an in-depth exploration of the project’s application programming interface, empowering advanced users to leverage the full potential of the platform.
I would like to emphasize that ForensicVM is an actively developed project. I’m continuously working on enhancing its capabilities, improving performance, and adding new features. Stay tuned for updates and exciting developments as I strive to deliver the most effective and reliable forensic virtualization solution available.
Thank you for choosing ForensicVM. I am confident that it will greatly streamline your forensic investigations and contribute to the success of your work.
The first step is to install the server. Head to installation
Check out the usage section for further information, including how to install the project.
ForensicVM is an innovative tool designed to streamline the process of digital forensics. By leveraging advanced virtualization technology, ForensicVM allows for the secure and efficient analysis of forensic images, making it an invaluable tool for cybersecurity professionals, digital forensics investigators, and information security teams.
ForensicVM offers a range of features designed to enhance the forensic analysis process:
Virtualization of Forensic Images: ForensicVM enables the creation and management of virtualized instances of forensic images, paving the way for a more flexible and scalable analysis process. This virtualization can be executed either through a snapshot linked to the investigator’s storage for quick selection or by full conversion, which transfers and converts the image to a remote server to maximize the VM’s performance and features.
Forensic Image Lifecycle Management: ForensicVM equips users with tools for managing every step of a forensic image’s lifecycle, from creation to decommissioning. Convert the forensic image into a VM, start, stop, reset, snapshot, and safely delete the forensic image when it is no longer required.
Advanced Analysis Tools: Equipped with a suite of powerful analysis tools, ForensicVM assists investigators in uncovering vital evidence.
Integrated Hypervisor: The ForensicVM Server features a robust hypervisor based on QEMU and KVM to guarantee efficient execution and management of virtual machines.
Collaboration: ForensicVM employs a web development strategy that fosters remote and secure collaboration among forensic investigators. This method enables team members, regardless of their location, to work simultaneously on investigations in a digital space, enhancing productivity and communication. It leverages advanced encryption and security protocols to ensure that all collaborative efforts remain secure and confidential, protecting the integrity of investigations. In essence, ForensicVM’s approach melds convenience, connectivity, and security, revolutionizing the way forensic investigations are conducted.
Plugin Architecture: Plugins applied to the forensic virtual machine enable security bypassing, like creating new admins, resetting Windows activation, patching accessibility, and also allow the community to develop custom solutions that interact with ForensicVM.
Evidence Disk: An additional disk is automatically created with all tags from Autopsy Software, enabling easy and practical gathering and importing of evidence back to Autopsy.
Optional Network Card: It is disabled by default but when activated, this network card records all network traffic on the server while protecting local networking from potential attacks with pre-installed firewall rules. It also records traffic in Wireshark PCAP format.
On-the-Fly Memory Dumps: Capability to create volatility memory dumps at any moment.
Integrated Screenshots: Removes the need for an extra screenshot program.
Integrated Video Recording: Ability to record individual videos with a maximum duration of three hours, providing additional evidence if required.
Media Management: ISO management allows investigators to use their own tools during the investigation.
Snapshot Management: Freeze the VM in time and recall a previous state to perform “what if” tests.
Fine-tuning: Adjust machine memory size and set the VM start date as needed.
Warning
The network card is currently a work in progress. Under certain circumstances, the firewall rules may fail, potentially exposing your network to malicious actors. Please note that although the network safeguards your internal system, your external IP may still be visible if a C2C client is installed. Proceed with caution.
Important
Video recording is also still under development. Currently, the recordings lack audio. This limitation is expected to be addressed in future updates.
ForensicVM can be used in a variety of scenarios, including but not limited to:
Cybersecurity Investigations: In the world of ever-evolving cyber threats, ForensicVM can be employed by investigators to thoroughly analyze cyberattacks. It allows experts to delve into the intricate details of these attacks, discover the tactics, techniques, and procedures (TTPs) deployed by adversaries, and thereby contribute to the broader understanding of emerging cyber threats.
Incident Response: ForensicVM plays a pivotal role in the incident response process, helping to mitigate the impact of security incidents. In the aftermath of a security breach, it can quickly analyze the affected system, extracting crucial data that aids in understanding the extent of the compromise. This swift and thorough analysis can contribute to expedited recovery processes, aid in damage control, and provide insights for strengthening defenses to thwart future incidents.
Training and Education: ForensicVM is an invaluable tool for training budding cybersecurity professionals. It offers a safe and controlled environment for trainees to learn and practice forensic analysis. Facilitating hands-on experience enables learners to understand the nuances of digital forensics, teaching them to uncover and interpret the digital evidence left behind after cyber incidents. In academic settings, ForensicVM can be integrated into cybersecurity curricula, ensuring that the future generation of cyber defenders is well-versed in the practical aspects of forensic analysis.
Legal Investigations: ForensicVM can also be used in legal investigations where digital evidence plays a crucial role. Law enforcement agencies can use this tool to process and analyze digital evidence, which can provide vital leads in criminal investigations.
Corporate Audits and Investigations: Organizations can utilize ForensicVM in their internal audits and investigations. This tool can assist in identifying suspicious activities or misconduct, ensuring the organization’s policies and regulations are being adhered to, and maintaining a secure and compliant work environment.
We greatly appreciate the academic and scientific community for recognizing and using this work. Citing us not only shows respect for our efforts but also makes it easy to trace the genealogy of scientific thought. Thus, if you find this work beneficial or you use parts of it in your own research, projects, or products, we kindly ask you to properly reference it.
We offer two main contributions: our Forensic VM Autopsy User Manual and the Autopsy ForensicVM Client Plugin Software software. Below are their BibTeX entries for your convenience.
@misc{Mourinho_forensicVmAutopsyUserManual_2023,doi={10.5281/ZENODO.8274587},url={https://zenodo.org/record/8274587},author={Mourinho, Nuno},language={en},title={nunomourinho/forensicVmAutopsyUserManual: v1.0.0},publisher={Zenodo},year={2023},copyright={European Union Public License 1.2}}
A minimum of 16 GB RAM is required. From the oficial autopsy documentation website: “We recommend a minimum of 16GB of RAM. By default, Autopsy will use a maximum of 4GB of RAM (not including memory that the Solr text indexing server uses).”
A network connection is required for software updates and to access cloud-stored forensic images. Additionally, a robust internet connection with high upload speeds is necessary to expedite the virtualization process if there is a need to convert forensic images into forensic VMs.
A display with a resolution of 1980x1080 or higher is recommended for the best experience. If possible use a two monitor setup; one for the Autopsy plugin, and the other for forensicVM server control.
ForensicVM plugin requires administrator or root privileges for installation and running certain high-privilege operations like creating readonly windows shares!
To ensure that ForensicVM operates efficiently on your system, our server must meet or exceed the following requirements:
A 64-bit multi-core processor is recommended for optimal performance. This will facilitate smoother operation, particularly when managing complex tasks.
A minimum of 16 GB RAM is required. However, 16 GB or more is recommended to handle the simultaneous virtualization of forensic images. This ensures that multiple tasks can be performed concurrently without a loss in performance.
A minimum of 2 GB of free disk space is needed for the ForensicVM installation itself.
Additional storage will be required for forensic images. The amount will depend on the size of the images you will be working with. At least 1 TB of disk space, configured in RAID 10, is recommended.
The use of NVMe or SSD is not strictly necessary but is recommended, as it can significantly speed up the virtualization process.
Important
Remember to account for the extra space needed for virtual ISO CD-ROM or DVD with your own tools. These might require additional storage depending on your specific requirements.
A network connection is necessary, with at least a gigabit connection recommended. The conversion of forensic images to a virtual machine, the downloading of Wireshark files, videos, or evidence disks all exert significant pressure on the network. Therefore, utilizing a reliable internet service hosting with robust upload and download rates is crucial.
The installation will handle dependencies automatically. A dedicated server with Debian Bullseye as bare metal is necessary. Dedicated hardware with virtualization support is essential. The installation will create a new forensic hypervisor server based on QEMU.
ForensicVM requires root privileges for installation and to execute specific high-privilege operations, such as converting forensic images to virtual machines, managing the ForensicVM lifecycle, and controlling various security and administrative functions within the system. These elevated permissions are essential in allowing the software to interact with core system components, manipulate disk images securely, and handle complex virtualization tasks.
The AutopsyVM client plugin is a valuable addition to Autopsy, enhancing its functionality for digital forensics. Follow the steps below to install the plugin.
Download the latest version of the ForensicVM.exe setup file from the [AutopsyForensicVM GitHub Releases](https://github.com/nunomourinho/AutopsyForensicVM/releases) page. Navigate to the “Assets” section and download the setup file.
Follow the on-screen instructions to complete the installation. Once the installation is finished, you can proceed with using the AutopsyVM client plugin in Autopsy.
Step 12: Configure Windows Share over Forensic SSH Server Redirection
The way that forensicVM Server access the forensic images is by making a reverse ssh connection to your computer and accessing a local share via the internet. The reverse ssh connection is in need to make a safe Windows share access. You should configure now the forensicVM server SSH address and port number:
#. Please fill in the SSH Server Address and port number.
#. Press the button to copy the ssh key to the server
Press the Autofill info button to autofill the Windows share information with the Share login and local and the remote path to share. This info is extracted from the forensic image’s current path.
Step 16: Configure the share login and the share password
The share login and share password is a Windows local user and is password. It does not need to be an Administrator account. It can be a regular user. It also does not need to exist, since it is created if it does not exist when the user presses the create share button.
Step 19: Testing the forensicVM image Windows share over ssh
Press Test Windows share button to test if it is possible to connect to the Windows share from the server using a reverse ssh connection. If all is ok you will be presented with a Windows alert stating that the connection was successful
Testing the forensicVM image Windows share over ssh
Caution
Ensure to use a secure Windows username and password for your share. Although this share is protected over the internet by your SSH private key, on the Windows network, your username and password could be a potential vulnerability. We recommend a dedicated, strong username and password for your share, which can be reused for multiple forensic image shares if necessary.
Note
Please configure your firewall to allow local access to your Windows shares. You can restrict the Windows share to be accessible only by your own computer. If needed, please seek assistance from your system administrator to perform this task.
Before you can use ForensicVM, you must first install the software on your system. To do this, follow the steps outlined in the Installation and Setup.
Your first step is to run the ForensicVM Client Plugin in Autopsy Software. The main interface will open. Manage this by right-clicking the datasource and choosing “Run Ingest Modules”. After this, the Forensic Client Plugin main program interface will open.
Autopsy ForensicVM Client Plugin: A Comprehensive Interface Guide
The Autopsy ForensicVM Client Plugin serves as a pivotal hub for forensic analysts. This interface is designed for interactive engagement with forensic images, subsequently allowing users to transform these images into a forensic virtual machine (ForensicVM). Here’s a breakdown of its primary functionalities on the Autopsy ForensicVM Client Plugin main interface:
Prior to exploring the main functionalities, it’s paramount to configure the plugin’s settings. This preliminary setup is generally executed during the Installation and Setup.
Virtualize Tab:
This tab houses the primary operations. Specifically, users can:
Control the ForensicVM: Open webscreen console, Start, Stop, Shutdown, Reset, or Delete.
Manage Media: Organize manage media relevant to forensic analysis.
Manage Plugins: Run individual plugins.
Handle Snapshots: Capture and revert the ForensicVM to various states.
Capture Screenshots: Record specific instances or frames within the ForensicVM.
Memory Management: Generate and retrieve memory dumps, vital for observing real-time operations within the ForensicVM.
Virtual Evidence Disk Management: Import and regenerate the virtual evidence disk, accumulating all potential pieces of evidence.
Network Management: Toggle network cards on or off, and capture pcap (packet capture) files for granular network investigations.
ForensicVM Customization: Modify the starting date/time, reallocate memory, among other settings.
Performance Analysis: Employ Netdata for comprehensive metric analysis of the ForensicVM’s operations.
Troubleshooting: Secure an SSH connection to the ForensicVM machine, connecting directly to its remote directory. Additionally, avail an equivalent webshell for an internet-based SSH interaction with the server.
Autopsy Case:
This tab displays the Autopsy case details, including the extant case tags (utilized for case folder creation) and the generated UUID. This UUID is unique and becomes the name for the foundational directory of the forensic virtual machine.
Output Console:
This console captures all system messages. It’s a valuable tool for debugging or ascertaining the final state of operations.
About:
Contains copyright details pertaining to the ForensicVM Client.
This tab facilitates access to auxiliary virtualization functions:
Media - Oversee media operations. Upload ISO files to the server and manage actions such as insert, eject, and delete.
Plugins - Choose and execute a specific plugin. Introduce new forensic administrators, bypass passwords, reset activations, and navigate security protocols to delve into user profiles.
Snapshots - Take and revert the ForensicVM to various points in time.
Finetuning - Adjust memory capacity and define the initial start date.
Based on the selected tab option, the main panel showcases different functionalities. For instance, when the Media tab is chosen, the corresponding list or form materializes in this space. Action buttons are located at the bottom. Among these, enabled buttons signify available actions, while disabled ones represent currently unavailable actions. These buttons toggle between enabled and disabled based on the ForensicVM machine’s status or existence.
The notification area serves as the designated space for displaying notifications, warnings, and error pop-ups, tailored to specific events. Whenever there’s a need to apprise the user or when the system requires user interaction, a pop-up emerges in this area, seeking the user’s attention or input.
These two buttons facilitate the transformation of the forensic image into a forensic virtual machine:
Virtualize - a) Convert to VM:
This option converts the forensic image into a forensic virtual machine by copying it onto the forensicVM hypervisor server.
Virtualize - b) Link to VM:
This option establishes a link between the remote forensic virtual machine and the local forensic image.
For both methods, the remote forensicVM integrates an overlay of information. This includes additional drivers and outcomes from the execution of security plugins or actions taken by forensic investigators on the machine. Importantly, this approach ensures the preservation of the original forensic image’s integrity.
Use auxiliary tools for various forensic operations:
Import evidence disk into autopsy:
Import a virtual disk allowing forensic investigators to collect and gather potential evidence. This option lets you import the disk as a vmdk disk into Autopsy for reporting purposes.
Recreate evidence disk:
Delete and recreate the evidence disk.
Warning
This is a destructive action. Ensure to import the current evidence disk into Autopsy if it contains gathered evidence.
Analyze ForensicVM performance:
Utilize the Netdata software to pinpoint server bottlenecks, optimize server performance, and determine the root cause of any ForensicVM server issues.
Open ForensicVM Webshell:
Initiate an SSH-over-internet webshell connection to the server.
DEBUG: remote ssh to the folder:
Access an SSH shell inside the ForensicVM image folder, allowing edits and testing of the ForensicVM start script.
For security reasons, the network is disabled by default. Given that a machine could be compromised by malware, use this option with caution. When enabled, an internet firewall activates, blocking traffic to the local network but permitting internet access. Additionally, all traffic is recorded in the pcap (packet capture) file format.
Disable network card:
Deactivates the network card and saves a pcap file with all captured traffic to the server.
Download Wireshark pcap files:
Download all generated pcap files as a zip file, enabling investigators to analyze captured network traffic using tools like Wireshark or other network traffic analysis software.
The webscreen console, developed on the HTML5 VNC technology known as NoVNC, provides a visual and interactive gateway to the virtual screen of the remote ForensicVM. Alongside basic interactions, it also offers an array of ForensicVM control options to augment the forensic investigation process. To access this feature-rich console, select the Open ForensicVM option. Delve deeper for more details:
The following figure elucidates the available options:
Overview of the ForensicVM Webscreen Console functionalities.
(1) Control bar open icon: By clicking on this icon, users can unveil the auto-hiding control bar that seamlessly overlays the main screen, bestowing access to an assortment of functionalities.
(2) Notification area: Strategically positioned at the top, this zone is dedicated to presenting error, notification, and warning messages.
(3) Main screen: Serving as the primary interface of the webscreen, during the boot sequence, users can hit the ESC key to dive into the BIOS or UEFI. This permits modifications to pivotal settings, with a prime focus on the boot device, especially when initiating a boot from an ISO.
Upon clicking the control bar open icon, users are presented with the Control Toolbar, illustrated below:
Overview of the Control Toolbar in ForensicVM Webscreen Console
The Control Toolbar facilitates the following actions:
Show Extra Keys: Displays icons representing frequently-used key combinations such as Ctrl+Alt+Del and the Windows key. Clicking these icons sends the corresponding key inputs to the ForensicVM.
Clipboard: Enables basic data transfer between the user’s environment and the ForensicVM, provided the QEMU agent is installed on the virtual machine.
Fullscreen: Expands the ForensicVM webscreen to occupy the entire display area.
Take a Screenshot: Captures the current view of the remote ForensicVM.
Enable or Disable the Network Card: This function is self-explanatory.
Insert or Eject Media: Facilitates the selection, insertion, and ejection of CD-ROMs or DVDs containing additional forensic tools.
Video Recording: Initiates, terminates, and downloads video recordings at a rate of 30 frames per minute.
Manage Chain of Custody: 1) Generate and download the chain of custody records document; 2) Save a comment on the chain of custody.
Virtual introspect: Take a memory dump and analyse it automaticaly using memory introspection, with the help of volatility 3. See current process tree, Running command line with arguments, Enviroment Variables, Possible malware injection processes, Network Connections and Running Network Services.
Settings: Provides access to several webscreen console preferences. Notably, users can adjust the scaling mode. Setting it to “Local Scaling” ensures the remote display fits the browser window perfectly.
Power: Offers control over the ForensicVM’s power states, including shutdown, stop, and reset actions.
Disconnect: Ends the current webscreen session.
Logout: Signs the user out of the ForensicVM server.
If you find that the screen appears cropped or that certain parts of the interface aren’t fully visible, you can adjust the scaling settings for a more optimal viewing experience. Here’s a comprehensive guide to making those adjustments:
Steps to Adjust Screen Scaling:
Reveal the Control Bar:
- Control Bar Open Icon: The control bar is typically hidden to provide a cleaner viewing area. By clicking on this icon, you’ll reveal a set of controls that overlay the main screen. These controls grant access to various functionalities.
Access Scaling Settings:
- Definitions Icon: Once the control bar is visible, locate and click on the definitions icon. This action will lead you into the settings or preferences area, where you can manage various aspects of the ForensicVM interface.
Modify Scaling Mode:
- Scaling Mode Adjustment: Inside the settings, find the option labeled “Scaling mode.” From the available choices, select “Local Scaling.” This adjustment ensures the interface perfectly fits within your screen, displaying all elements in their entirety.
A visual representation showcasing the process of adjusting the webscreen scaling to “Local Scaling” for an optimized, full-screen experience.
For enhanced collaboration, remote forensic investigators have the capability to log into a dedicated web interface. This platform not only facilitates shared control of the remote web interface but also empowers multiple investigators to access the same ForensicVM simultaneously. This multi-user functionality enables diverse investigative actions such as capturing screenshots, collecting potential evidences onto the evidence disk, and initiating video recordings.
A visual representation of the ForensicVM Server Web Control Interface
Interface Breakdown:
(1) VM Control Options:
Start: Power on the ForensicVM.
Stop: Power off the ForensicVM.
Shutdown: Properly shut down the ForensicVM, ensuring all processes are terminated correctly.
Reset: Reboot the ForensicVM.
Browse: Launch the ForensicVM’s web console, offering a visual interface to the VM.
(2) Notification Area: A dedicated space where various system communications such as messages, warnings, and error alerts are displayed.
(3) Server Management and Utilities:
Server Status (Netdata): Provides real-time performance metrics and monitoring using Netdata.
Shell (webshell): Access to an SSH-over-web interface, allowing for direct server interactions.
List VM: Refresh and display the list of existing virtual machines on the server.
Metrics: 1) Export virtualization gather metrics as excel document. 2) Export analysis as a word or latex document.
Logout: Facilitates logging out of the web interface, ensuring secure closure of sessions.
After familiarizing yourself with ForensicVM, you may want to explore more advanced topic. Refer to the respective sections in this documentation for more information.
ForensicVM is a powerful tool in digital forensics. It simplifies the investigation process by allowing the virtualization and management of forensic images.
The Client: The client provides a user-friendly interface for managing forensic images, allowing users to create, run, and decommission instances as needed. It supports a variety of forensic image formats, ensuring compatibility with a wide range of existing tools and workflows.
The Hypervisor: The hypervisor is responsible for the execution of the virtualized forensic images. It manages resources and isolation between instances, ensuring that each virtual machine runs effectively and securely.
ForensicVM’s interface is designed with usability in mind. It provides a clear view of the current state of your forensic images, including active instances, and the status of any ongoing analysis tasks. It also provides easy access to ForensicVM’s suite of analysis tools, making it simple to start investigating a forensic image.
The Forensic Virtual Machine offers a plethora of features tailored to aid forensic analysts during their investigations. These features are systematically organized and can be accessed from various zones of the Autopsy interface. Each zone provides specific tools and functionalities, ensuring a seamless and comprehensive analysis experience.
In the table below, the distribution of features across the different zones of the interface is highlighted. This is to help users quickly identify where to locate and how to use each feature, maximizing efficiency and precision in their forensic operations.
One of the key features of ForensicVM is its plugin architecture, which enables the community to extend its functionality and interact with forensic images in innovative ways. This open architecture fosters the development of new software that can interact with forensic virtual images, providing flexibility and promoting active community involvement.
Through the plugin architecture, developers can create tools to perform a variety of tasks, including but not limited to:
Password Administration: Reset forgotten passwords or generate new administrator accounts to gain access to the systems encapsulated in the forensic image.
Hibernate File Management: Remove hibernation files to remove state of the system at the time of hibernation.
Data Extraction and Analysis: Extract and analyze data from a forensic image to uncover evidence or gain insights into the operation of the system.
By contributing plugins to the community, developers can help to improve ForensicVM, enriching it with new features and capabilities. Moreover, by utilizing the plugins developed by the community, users can tailor ForensicVM to their specific needs, creating a more versatile and powerful forensic analysis environment.
To efficiently use the Autopsy ForensicVM plugin, it’s essential to initialize a new case within the Autopsy framework and then seamlessly integrate a new data source. Below, the comprehensive procedure is outlined:
Add a New Case to Autopsy
Initiate the Autopsy application and from the wizard interface, choose the option to add a new case. This is the first step in creating a structured environment for your forensic analysis.
Once the case addition window pops up, provide a unique and descriptive name for your case. This helps in distinguishing it from other cases in the future.
Here, you can include additional details about the case. While this is optional, it’s recommended to fill in as much information as possible for thorough documentation.
Decide on the host configuration for this case. You can either:
- Generate a new host using the data source parameters.
- Specify a new host name manually.
- Or, utilize an existing host from a previous case or configuration.
Select Data Source Type as “Disk Image or VM File”
Choose the type of data source you’re incorporating. For this procedure, select “term:Disk Image or VM File”, which allows Autopsy to process VM images and disk snapshots.
Select Extra Parameters Like Time Zone and Sector Size
Fine-tune your forensic analysis by selecting the relevant time zone and determining the sector size. These parameters help in accurate data extraction and interpretation.
Configure the Python Ingest Plugin to Run and Select the ForensicVM Client Plugin
Activate the Python Ingest Plugin for automated data ingestion. Also, ensure to select the ForensicVM Client plugin, which is pivotal for the VM forensic analysis.
As the data gets processed, an intuitive progress bar displays the ongoing activities and the completion percentage. Keep an eye on this to gauge the processing speed and potential completion time.
The ForensicVM Loader will make a brief appearance. This indicates that the plugin is gearing up for execution. It will automatically close once the plugin is fully initialized.
Complete the Procedure and Minimize Autopsy Window
Click on the “Finish” button to round off the ‘Add Data Source’ wizard. For better visibility and multitasking, it’s advisable to minimize the main Autopsy window at this juncture.
Engage with the Autopsy ForensicVM Client Plugin Interface
Post the previous steps, the dedicated window for the Autopsy ForensicVM Client plugin will emerge. Here, you can conduct in-depth VM forensics using the myriad features offered by the plugin.
Convert Forensic Image to a Forensic Virtual Machine
When aiming to convert a local forensic image to a remote forensic virtual machine on a server, two primary methods are prevalent:
Direct Copy to Server: This approach duplicates the forensic image, creating a new forensic virtual machine on the server. It grants comprehensive access and utility of the forensicVM, making it the ideal choice for collaborative remote investigations.
Link Creation: In this method, a link is forged between the local forensic image and a new counterpart on the server. Although it’s swifter (given that the image isn’t transferred to the remote server), there are limitations. The conversion and previewing are quick, yet initiating the machine locally is mandatory. The investigator must resort to the Autopsy client plugin to start the machine, as the web interface is incompatible due to the dependency on the original forensic image.
Steps for Both Methods:
Initiate SSH Connection: An SSH link is established with the forensicVM server.
Reverse Connection Establishment: This connection triggers a reverse connection to a read-only samba CIFS share, often known as a Windows share. This maneuver enables the server to access the Windows share containing the forensic image.
Initiate Conversion: Here, the type of forensic image is identified, followed by the selection of an appropriate tool on the server to mount the image to a virtual raw device. This is especially vital when images span across multiple files.
Note
This tool selection process ensures that the appropriate software is utilized for optimal conversion.
Snapshot Creation: An initial forensic image snapshot is generated. Acting as a base snapshot, it retains the state tied to the forensic image’s virtual raw. This facilitates the installation of drivers without altering the forensic image’s state or information, preserving the sanctity of the evidence.
Image Conversion: The image undergoes a transformation into the qcow2 format - the favored format for KVM virtualization. It not only supports snapshots but also ensures the image only occupies the space used by the forensic image.
Partition Detection: The system identifies any partitions present within the image.
Operating System Detection: The OS inside each partition is discerned. If recognized, KVM-optimized virtual drivers get pre-installed, which will initiate upon the forensic virtual machine’s first boot.
Fallback Conversion: If the OS remains unidentified, the VM undergoes a full conversion without any driver installations. While this could potentially enable booting, post-conversion, manual scrutiny and possible KVM driver installations are essential.
Partition Absence Handling: In the event no partitions are identified, a virtual partition gets generated alongside a virtual boot device. This procedure aids in converting partition images into complete images. However, the user must invest additional effort to adapt this image for booting. They might need supplementary tools, like a virtual CD-ROM, to rectify and make the VM operational.
Tip
It’s crucial to regularly monitor the conversion process to ensure all steps are proceeding as expected and that any necessary adjustments can be made promptly.
Method 1: Copy the Local Forensic Image to a New Forensic Virtual Machine on the Server
Direct Copy to Server: This approach duplicates the forensic image, creating a new forensic virtual machine on the server. It grants comprehensive access and utility of the forensicVM, making it the ideal choice for collaborative remote investigations.
Conversion steps:
Begin the Conversion:
Initiate the conversion process by clicking on the button titled “Virtualize - a) Convert to VM”. This action sets the process in motion.
Upon clicking the conversion button, a popup alert appears. This alert will display the message: “The conversion will start in a command window. Please do not close it until the conversion is finished…”. Click on “OK” to commence the conversion process.
A MS-DOS command window materializes post confirmation. This window is instrumental in detecting the image format, which will be visibly printed within. Ensure to keep an eye out for messages color-coded in green, indicating successful steps. However, should there be any errors, take note for future reference.
During this phase, the system installs the required KVM drivers. Various messages get displayed in this window. Here’s a color code to understand them:
Green: Success messages.
Blue: Warnings.
Magenta: Special information messages.
Red: Error messages.
The conversion progression is displayed as a percentage.
To boot up the machine for the first time, click the “Start” button available in the Autopsy ForensicVM Plugin.
Screenshot of the “Start” button on the Autopsy ForensicVM Plugin.
Informational Popup - Machine Started:
Post clicking the “Start” button, an informational popup will appear to inform you about the machine’s status.
Screenshot of the informational popup after machine start.
Opening the ForensicVM:
To access the ForensicVM’s web screen interface, click the “Open ForensicVM” button. This interface will allow you to interact directly with the forensicVM.
Once inside the web screen interface, click the prominent “Connect / Start” button to establish a connection with the forensicVM and view its virtual screen monitor.
Screenshot of the ForensicVM’s “Connect / Start” button.
Interact with the ForensicVM:
With the connection established, you can now freely interact with the forensicVM.
Screenshot showcasing the ForensicVM’s interactive interface.
Method 2: Link the Local Forensic Image to a New Forensic Virtual Machine on the Server
Link Creation:
In this method, a link is forged between the local forensic image and a new counterpart on the server. This approach is faster because it doesn’t involve transferring the entire image to the remote server. However, there are some limitations. The conversion process and preview are swift, but starting the machine locally is a requirement. The investigator needs to use the Autopsy client plugin to initiate the machine since the web interface cannot be used due to its dependency on the original forensic image.
Conversion Steps:
Begin the Conversion:
Start the conversion by clicking on the button labeled “Virtualize - b) Link to VM”.
After activating the conversion, a popup will emerge. It will instruct: “The conversion will commence in a command window. Please refrain from shutting it until the process concludes.” Press “OK” to proceed.
The MS-DOS command window will surface, and the software will identify the image format, displaying it within the window. Successful actions are highlighted in green. However, be vigilant and record any errors that arise.
There are three different ways to start the forensic virtual machine (forensicVM). These methods provide flexibility depending on your access level and location within the system interface:
Another option to start the forensicVM is from the web remote screen. This method may be preferred if you are working remotely or through a particular service interface:
Navigate to the web remote screen.
Locate the start button, as shown in the figure below.
Press the start button to initiate the virtual machine.
These three methods ensure that you can initiate the forensicVM from various points in the system.
Special Case: Starting the ForensicVM in Link Mode
Precautions and Considerations:
When a forensic image is converted to a forensic virtual machine using the “Virtualize b) Link to VM” option, it can only be started via the Autopsy Plugin. Ensure that you adhere to the following precautions to guarantee a smooth operation of the virtual machine:
Warning
Only initiate the linked forensicVM through the Autopsy Plugin. Avoid using the forensicVM web interface—it will be ineffective.
Utilize a reliable internet connection, such as fiber optics. Any connection disruptions could lead to machine disk timeouts, and potentially the virtual machine encountering a “blue screen of death.”
Maintain the command line window in an open state. This window must remain open at all times. To power off or stop the forensicVM, use the “Stop” or “Shutdown” options in the Autopsy Plugin. This method ensures the prevention of lingering mount points on your computer, which could cause issues.
Next, a command line window will manifest. While you should minimize it, it’s crucial not to close it. If you need to shut down the machine, kindly adhere to the subsequent steps to safely halt or power off the forensicVM.
It’s imperative to note that the solitary and secure method to halt or power off the machine is by utilizing the “Shutdown” or “Stop” buttons available in the Autopsy Plugin.
2) Browse ForensicVM using the Main Web Interface
Alternatively, you can browse the forensicVM through the main web interface. This approach is generally more accessible and can be used from any web browser that supports the required protocols.
Steps:
a) Navigate to the web interface URL.
b) Log in with your credentials, if required.
c) Locate the forensicVM you wish to access.
d) Click the appropriate control, such as “Start,” “Stop,” “Reset”, etc., to manage the forensicVM.
Summary:
Both methods provide control over the forensicVM, allowing you to perform a variety of tasks like starting, stopping, resetting, and more. Choosing between the plugin interface and the web interface depends on your specific needs, available tools, and personal preferences.
There are three different ways to shut down the forensic virtual machine (forensicVM). These methods provide flexibility depending on your access level and location within the system interface:
1) Shut Down ForensicVM in the Main Plugin Interface
To shut down the forensicVM from the main plugin interface, follow these simple steps:
Locate the shutdown button on the main interface as depicted in the figure below.
Another option to shut down the forensicVM is from the web remote screen. This method may be preferred if you are working remotely or through a particular service interface:
Navigate to the web interface.
Locate the machine that you need to shutdown.
Locate and click the shutdown button, as shown in the figure below.
These three methods ensure that you can shut down the forensicVM from various points in the system, allowing for seamless control depending on your needs and preferences.
There are three different ways to stop the forensic virtual machine (forensicVM). These methods provide flexibility depending on your access level and location within the system interface:
Another option to stop the forensicVM is from the web interface. This method may be preferred if you are working remotely or through a particular service interface:
Navigate to the web interface.
Locate the machine that you need to stop.
Locate and click the stop button, as shown in the figure below.
These three methods ensure that you can stop the forensicVM from various points in the system, allowing for seamless control depending on your needs and preferences.
Resetting the forensic virtual machine (forensicVM) is akin to an immediate reboot, and there are three different ways to do so. These methods provide flexibility depending on your access level and location within the system interface:
Another option to reset the forensicVM is from the web interface. This method may be preferred if you are working remotely or through a particular service interface:
Navigate to the web interface.
Locate the machine that you need to reset.
Locate and click the reset button, as shown in the figure below.
These three methods ensure that you can reset the forensicVM from various points in the system, allowing for immediate rebooting as needed. This can be useful in various scenarios, such as when troubleshooting, testing, or managing different virtual machine states.
It is often necessary to take screenshots of the forensic virtual machine (forensicVM) for documentation, analysis, or reporting purposes. There are two primary ways to capture a screenshot, depending on your location within the system interface:
1) Capture Screenshot in the Main Autopsy Plugin Interface
To take a screenshot of the forensicVM from the main Autopsy plugin interface, please press the Screenshot button on the screenshot panel:
Screenshot VM on the main Autopsy plugin interface
2) Capture Screenshot in the Web Screen Interface
Capturing a screenshot from the web screen interface is similarly straightforward:
Navigate to the web interface where the forensicVM is displayed. Expand the tools panel.
Locate the screenshot icon or use the appropriate key command within the web interface.
These methods enable you to capture visual records of the forensicVM from different points within the system, providing flexibility for various operational needs.
After capturing the necessary screenshots of the forensic virtual machine (forensicVM), you can download them all as a ZIP file. This process is done in four steps:
These steps ensure an efficient and organized process for downloading the captured screenshots of the forensicVM, making it convenient for further use or analysis.
This step-by-step guide helps you efficiently import the screenshots from the forensic virtual machine into Autopsy software for in-depth analysis, enabling a streamlined workflow and enhancing your investigation process.
Note
Importance of Tagging Screenshots for Evidence
Tagging screenshots in Autopsy forensic software is a pivotal step in digital investigations. It allows forensic professionals to systematically identify, analyze, and report on crucial visual information. Tagged screenshots can be included in final reports, where they may be presented as potential evidence in legal proceedings. The process ensures the integrity of visual data and contributes significantly to building a solid case.
In the realm of digital forensics, Autopsy forensic software plays a crucial role in analyzing and managing evidence. A key feature of this powerful tool is its ability to handle screenshots, which are often vital in investigations.
Tagging Relevant Screenshots: With Autopsy, investigators can sift through various images and screenshots collected during the forensic analysis. If certain images are identified as potentially relevant to a case, they can be tagged for further scrutiny. This tagging function is more than a mere organizational tool; it’s a systematic way to highlight essential visual information that may prove crucial in understanding the digital activities related to a case.
How to Tag: Simply right-click on the desired screenshot and select the “Tag” option. You may create custom tags or use predefined ones, adding notes or comments as necessary. This flexibility ensures that you can organize your screenshots in a way that suits your specific investigative needs.
Inclusion in the Final Report: Tagged screenshots are not merely an intermediate step in the investigation. They often form an integral part of the final report. When compiling your findings, all tagged screenshot photos can be automatically included as potential evidence. They are presented in a well-organized manner, often alongside corresponding notes or observations made during the analysis phase.
How to Include in Report: Typically, there’s an option to include tagged items in the report generation process. Make sure to select this option to have all tagged screenshots appear in the final document.
Presenting as Evidence: The end report, including the tagged screenshots, can be used in legal proceedings as possible evidence. The organized and systematic way in which these images are handled, analyzed, and reported in Autopsy ensures their integrity and admissibility in a court of law.
In conclusion, the ability to tag relevant screenshots in Autopsy forensic software is not merely a feature but an essential process that enables precise analysis, reporting, and legal utilization of visual data. It allows forensic professionals to efficiently identify and focus on critical visual information, contributing to a more comprehensive and convincing presentation of evidence in any given case.
Making, Downloading, and Analyzing a Memory Dump (memory_dump_vm)
Making a memory dump refers to the process of capturing the content of a computer’s memory (RAM) at a specific moment in time. This snapshot can include various elements, ranging from currently running processes to user credentials and even the contents of open files. The practice is critical for several reasons:
In the realm of cybersecurity, memory dumps have become an essential tool. Here’s how they contribute:
Uncovering Malware Behavior: Memory dumps allow security professionals to see what is happening inside the system’s memory, including hidden or obfuscated malware activities. By analyzing these dumps, one can reveal the behavior of malicious code, tracking its origin, and how it interacts with the system.
Detecting Hidden Processes: Sophisticated malware often hides from standard detection methods. Memory analysis helps in uncovering these hidden processes, providing a more transparent view of unauthorized activities.
Injected Code Analysis: Attackers may inject malicious code into legitimate processes to conceal their actions. A memory dump helps in identifying these code injections, leading to better understanding and mitigation of such threats.
User Credential Analysis: Sometimes, credentials might be stored in memory. A memory dump could reveal these details, helping in understanding potential security breaches or vulnerabilities.
Digital forensic analysts often use memory dumps to investigate suspicious or malicious activities:
Timeline Analysis: Memory dumps can provide a chronological view of the activities that transpired on the device, aiding in reconstructing events leading up to an incident.
Data Recovery: Even if data is deleted or encrypted, remnants might still exist in the system’s memory. Analyzing memory dumps may allow the recovery of this vital information.
Artifact Analysis: Various artifacts related to user activities, system interactions, and file usage can be extracted and analyzed from memory dumps, painting a comprehensive picture of user behavior.
In the context of legal proceedings, memory dumps might provide crucial evidence:
Computer Usage: Evidence regarding the usage of specific applications or accessing specific files or websites can be derived from a memory dump.
Unauthorized Access: In cases of hacking or unauthorized access, memory dumps may hold evidence of the intrusion, including the tools used and the data targeted.
Intellectual Property Theft: If there is a suspicion of intellectual property theft, memory dumps can reveal whether sensitive documents were accessed, modified, or transferred.
Follow the steps below to make and download a memory dump:
1) Press the “Make and Download Memory Dump” Button
Press the button labeled “Make and Download Memory Dump” to initiate the process.
Analyzing a memory dump can provide critical insights into the state of a system at a particular point in time. Memory dumps may contain valuable information that helps investigators understand what processes were running, what files were open, and even what keys were being pressed.
Autopsy enables an investigator to examine memory dumps by following a series of steps to import and analyze the data. Here’s an expanded walkthrough:
1. Locate the Memory Dump File
Begin by identifying the file you wish to analyze. This could be a file that you have obtained from a machine you are investigating. Make sure to have the file accessible and note its location on your system.
2. Prepare Autopsy for Importing the Memory Dump
Launch Autopsy and create a new case or open an existing one where you want the memory dump to be analyzed. The case structure in Autopsy helps in organizing different data sources and findings related to an investigation.
3. Add the Memory Dump as a Data Source
Inside your case, look for an option to add a new data source. This is usually achieved by clicking on the “Add Data Source” button. You’ll be guided through a series of prompts to configure the import.
4. Choose the Host and Data Source Type
You’ll need to select a host, which typically refers to the system from which the memory dump was obtained. Then, choose “Memory Image File (Volatility)” as the Data Source Type, a common format for memory dumps.
5. Navigate to the Memory Dump File
Click the “Browse” button and use the file dialog to locate the memory dump file on your system. You may need to paste the exact path if you have copied it earlier.
6. Configure the Analysis Settings
This involves setting the timezone, memory profile (which should correspond to the OS of the dumped system), and selecting or deselecting specific plugins. Plugins in Autopsy extend its functionality and can be used to run specific analyses on the data.
7. Ingest the Memory Dump
After confirming your settings, Autopsy will begin the process of ingesting the memory dump. This might take a significant amount of time, depending on the size of the dump and the capabilities of your system.
8. Review the Results and Check for Errors
Upon completion, review the log to check for any errors or warnings. This is a vital step to ensure that the data was imported correctly and that all selected analyses were performed successfully.
9. Analyze the Memory Dump
Finally, you can start analyzing the memory dump. Autopsy provides various tools and views to help you explore the data. You can browse through processes, network connections, registry keys, and more. Look for anomalies or signs of malicious activity.
10. Tag and Document Findings
As you proceed with your analysis, make sure to tag any interesting findings. Autopsy provides features to annotate and comment on your discoveries, making it easier to reference them later or include them in your final report.
1) Copy the Path of the Memory Dump from Windows Explorer
Start by locating the memory dump file on your system. Open Windows Explorer, navigate to the directory containing the memory dump, right-click on the path, and select “Copy” This action will copy the path’s location to your clipboard, allowing you to easily paste it later in the Autopsy software.
2) Press the “Add Data Source” Button on the Autopsy Software
Open Autopsy and initiate the process of adding a new data source by pressing the “Add Data Source” button. This button typically resides in the main toolbar.
3) Select the Host to Where the Memory Dump Should be Made and Press Next
You will be prompted to select a host, which is the computer or device where the memory dump will be analyzed. Choose the appropriate host from the list provided, and then press “Next” to continue.
4) Select as Data Source Type the “Memory Image File (Volatility)” and Press Next
In this step, you will specify the type of data you are importing. Select “Memory Image File (Volatility)” from the list of data source types, as this is the appropriate option for memory dumps. Once selected, click “Next.”
5) Click the “Browse” Button to Select the Path Where the Memory Dump Is
A file browser window will appear. Click the “Browse” button, navigate to the location where the memory dump is stored, and select the file. If you copied the path earlier, you could paste it into the file path field to quickly locate the file.
7) Configure Timezone, Memory Profile, and Plugins to Run. Press Next
You will now be asked to configure several settings specific to your analysis. Set the appropriate timezone to match the original system’s time setting. Choose the correct memory profile, which should match the operating system of the analyzed machine. Optionally, select any plugins you want to run during the analysis. Click “Next” to proceed.
9) Wait Until the Memory Ingest Module is Finished
This step may take some time, as Autopsy processes the memory dump. Depending on the size of the file and your computer’s capabilities, this could take several minutes or even hours. A progress bar or other indicator may be available to monitor the process. Please be patient.
Upon completion, a dialog will appear, summarizing the process and any issues encountered. Press the “View Log” button to inspect any errors or warnings in detail. Finally, press the “Finish” button to conclude the process and close the dialog.
11) Locate the Memory Dump on the Interface and Browse the Results
With the import process complete, you can now find the imported memory dump within Autopsy’s interface. Browse through the results, and use Autopsy’s various tools to examine the data. Remember to tag any findings that may be of interest, as these can be critical to your investigation.
Analyzing memory dumps is a vital task in computer forensics, malware analysis, and system diagnostics. Several tools have been developed to support this task. Here’s an overview of some widely-used tools other than Autopsy for memory dump analysis:
Rekall: Rekall offers a set of features for memory forensics. Documentation.
WinDbg: Microsoft’s WinDbg for debugging Windows applications and analyzing memory dumps.
Magnet RAM Capture: Magnet RAM Capture is a free tool for capturing physical RAM.
FTK Imager: AccessData’s FTK Imager for capturing and analyzing memory dumps.
MoonSols DumpIt: MoonSols DumpIt for creating memory dumps from Windows systems.
Redline: Provided by FireEye, Redline offers advanced memory and file analysis capabilities.
GRR (Google Rapid Response): GRR an incident response framework that includes memory analysis capabilities. Documentation.
Belkasoft Evidence Center: Belkasoft Evidence Center includes the ability to analyze computer memory.
X-Ways Forensics: X-Ways Forensics a commercial product with strong memory analysis features.
These tools offer a wide range of capabilities, from capturing memory images to detailed analysis. Depending on the specific requirements of the analysis, an investigator might choose one or several of these tools.
Recording video from a forensic virtual machine (VM) that was created from a forensic image is not just a technical procedure; it’s a crucial part of preserving and analyzing digital evidence in a meticulous and traceable manner. Below are the reasons why this approach is essential:
Immutable Record
When a virtual machine is created from a forensic image, it’s a snapshot of a system at a specific point in time. Recording a video of the interactions and findings within this VM provides an immutable and chronological record. It ensures that every action taken can be reviewed, analyzed, and presented, leaving no room for doubt or ambiguity.
Transparency and Accountability
The video serves as a transparent and detailed log of what was done during the investigation. This helps in maintaining the integrity of the process, proving that the examination was conducted ethically and without alteration of the original data. If questions arise later, the video can be referred back to, to demonstrate exactly what was done.
Legal Compliance
In legal scenarios, the chain of custody must be robust and without breaks. Video recordings from the forensic VM provide a visual and auditable trail that can be an integral part of court proceedings. They offer judges, lawyers, and juries a clear and understandable view of the digital evidence, often aiding in decisions.
Training and Collaboration
The videos are not only useful for the case at hand but can be utilized for training purposes. They offer a real-world insight into how a forensic examination is conducted, the tools used, and the methodologies followed. Furthermore, they facilitate collaboration between teams and experts, allowing them to review and discuss findings visually.
Error Detection
If mistakes are made during the investigation, video recordings enable forensic analysts to backtrack and understand where things went wrong. This can be vital for correcting errors and learning from them for future investigations.
Enhancing Public Trust
Lastly, the practice of recording video from forensic VMs can also contribute to enhancing public trust in digital forensic processes. It sends a strong signal that the work is conducted with utmost professionalism, thoroughness, and adherence to legal standards.
The recording is in progress; it can be up to 3 hours of recording before the video stops. The “rec” animation on the top right will show that the recording is in progress on the server.
You will see two notification messages. The first one says, “Sent stop video recording,” to indicate that the video has stopped recording. The video has to be processed on the server to download. When the video is completed on the server, you will see a second notification message stating, “Video saved (Video recorder with the name videoNNNN.mp4)”, where NNNN is the video number. Please note down this number.
Now, press the “Download” button. You should now wait until the download is ready. It will start download automatically, so please do not close the webpage. The video preparation time and the download time will directly depend on the video size.
Video Recording Sound
The current version of the video recording feature within the forensic virtual machine does not include sound. It captures only the visual interactions and activities within the system. We recognize the importance of sound in some investigations, and we are actively working to add this capability in a forthcoming version of our software.
In the meantime, if sound recording is a necessary component of your forensic analysis, we advise utilizing third-party tools specifically designed for video and audio capture. Please ensure that any third-party tool used complies with your legal and organizational requirements.
The evidence disk is an automatically generated drive that materializes during the conversion of a forensic image to a ForensicVM. This utility drive is populated with directories that carry the same names as the Autopsy tags. These directories serve as designated containers, wherein the forensic investigator is expected to compile and organize evidence relevant to each tag. If ever the need arises, the investigator has the option to reset the evidence disk to its initial state. However, such an action should be approached with caution, as it would entail the deletion of all previously gathered evidence.
In the event that new tags are introduced in Autopsy, corresponding folders for these tags will be fashioned once the plugin is restarted.
Tip
In order to fabricate any missing tag directories, it’s essential to first halt the ForensicVM’s operations. It’s advised to shut down the ForensicVM, subsequently close the plugin, and then reopen it via the Autopsy ForensicVM Client Plugin. This procedure ensures that the environment is refreshed and ready to incorporate new changes.
The creation of the evidence disk is an automated process. When you transition a forensic image into a ForensicVM, regardless of whether the method employed is virtualization copy or linking to the forensic image, the evidence disk is fashioned during the final phase of this procedure.
Screenshot depicting the final phase of the ForensicVM conversion, showcasing the creation of the evidence disk.
Collecting digital evidence is a meticulous process, demanding precision, patience, and an understanding of the system you are investigating. When using the ForensicVM, this process is facilitated, yet there are still specific steps to follow. Here’s a comprehensive guide on how to go about it:
Initiation of the ForensicVM:
Before you can begin your evidence collection, ensure that the ForensicVM is up and running. Start the virtual machine and patiently wait for it to boot up completely.
Logging In:
Once the ForensicVM has completely loaded, proceed to log in using the credentials provided or set during the initial configuration. Remember, maintaining the security and integrity of the login process is crucial in a forensic investigation.
System Exploration:
With access to the ForensicVM, you can now begin your deep dive into the system. Navigate through the directories, files, applications, and logs. Always keep an eye out for suspicious or relevant files, unusual patterns, or any anomalies that might serve as potential evidence.
Copying Relevant Files to the Evidence Disk:
As you uncover potential pieces of evidence:
For Windows Users:
The process is quite straightforward. Simply copy the relevant files or data and save them to the evidence disk, which is typically represented as the D: drive. This dedicated drive serves as a safe repository, ensuring that the original data remains uncompromised.
For Linux Investigation:
Things might be quite different. Instead of having immediate access to the evidence disk, you might need to locate it first. Once found, proceed to mount the disk manually. After which, you can copy and save the necessary files or data to this disk.
Note
Remember, while the process might seem technical, the key is to maintain the integrity of the evidence and ensure that all actions are documented and reproducible. It’s not just about finding the evidence, but also about ensuring its admissibility in a court of law.
Begin by logging into the operating system. Should there be a need, employ a plugin to either craft a forensicAdministrator user or reset an existing user’s password.
Post login, your next objective is to pinpoint the evidence disk. This specific disk is marked with the label possible evidence. Conventionally, it’s designated as drive D:. The very essence of this disk is a collection of folders; each bearing the name of tags available in Autopsy. Though investigators have the liberty to tailor-make folders or sub-folders as per the requirements of their investigation, a suggested practice is to either refine or instate new tags in Autopsy. Post this step, both the Autopsy Plugin and the ForensicVM should be restarted.
The Fig. 141 offers a visual guide: The evidence drive is demarcated by a green rectangle, while the Windows Explorer - which is in the process of identifying potential evidence - is enclosed within a red rectangle. The objective here is to locate and transfer the identified evidence into the “possible evidence” drive, ensuring they’re nestled under the appropriate Autopsy Folder Tags.
Example: Transferring the Entire Encrypted BitLocker Drive
The illustration below showcases the entirety of an encrypted BitLocker drive being transferred to the Autopsy ‘Follow Up’ tag. The foundational principle of this process lies in ensuring that the full, unaltered encrypted drive is copied, preserving its integrity for forensic examination. By copying the entire encrypted disk file, forensic analysts can ensure they are working with a complete and untampered set of data.
Transferring the full encrypted BitLocker drive to the Autopsy ‘Follow Up’ tag.
Pre-importing Considerations for Autopsy
Before integrating the possible evidence drive into Autopsy, it’s imperative to either shut down or stop the forensicVM. Opting for a shutdown is highly recommended. Choosing to merely stop the virtual machine introduces the risk of data corruption which could compromise the integrity of the evidence or render parts of it unusable.
Options available for safely preserving the BitLocker drive before importing to Autopsy.
To embark on evidence collection, the primary step involves gaining access to the Linux system. Knowledge of user credentials is essential. If you find yourself without the necessary credentials, consider utilizing available plugins to assist. Alternatively, developing and sharing a new plugin with the community could be a valuable contribution! The illustration below presents the login process for an Ubuntu 22.10 system featuring a comprehensive desktop environment.
After successfully logging in, launch the file explorer to identify the evidence disk. In the given instance, one would navigate to “Other locations” and subsequently double-click on “possible evidence” to initiate its mounting.
Identifying the “possible evidence” disk in the file explorer.
Plan Evidence Gathering
Once the evidence drive is appropriately mounted, you’re primed to delve into your evidence search. Displayed in the subsequent figure are folders corresponding to various Autopsy Tags, offering a structured approach to evidence organization.
Autopsy Tags folders for structured evidence organization.
Explore and find possible evidence
Navigating to the designated folder, we discern a hash dump file alongside potential evidence pointing to the deployment of a meterpreter.
Highlighting a hash dump file and indications of meterpreter usage.
Organize and Transfer Potential Evidence to the Evidence Drive
Now, to preserve this crucial data, ensure you copy the identified potential evidence to the designated “possible evidence” folder.
Transferring discovered evidence to the “possible evidence” folder.
Preparing for Autopsy Integration
Before channeling the evidence disk into Autopsy, it’s paramount to adopt one of two measures: either halt the forensicVM operations or completely shut it down. Favoring the shutdown route comes strongly advised, as a mere halt could inadvertently introduce data corruption. Such anomalies might jeopardize evidence integrity or entirely nullify certain data segments. In our context, you’d initiate this by selecting the power icon, followed by the “Power Off/Log Out” option from the ensuing menu.
During the course of a forensic investigation, there may be instances when you need to append additional tags. Ensuring that the “possible evidence disk” reflects these changes is crucial. The following steps guide you on making sure the tag folders are created on the evidence disk:
For users operating on Windows versions later than 8: If the evidence folder is elusive, ensure Windows is not in hibernation instead of being completely shut down. To bypass this, while shutting down the forensicVM, hold down the [Shift] key on your keyboard. This ensures the hibernation file is removed and the drive is primed to receive instructions. You can then retry the procedure.
Opting for this action will irrevocably erase all data on the evidence disk! Data recovery will not be possible afterward. Prior to initiating this, ensure to follow the guidelines to Import evidence disk.
Safely Shut Down Windows
To ensure that the evidence.vmdk disk is unlocked, shut down Windows while pressing and holding the [Shift] key. This action ensures the hibernation file is deleted.
A freshly recreated evidence disk will be generated with the current Autopsy evidence tags structured as folders. No previously acquired evidence will be included. As a crucial step, remember to Import evidence disk before recreating the evidence disk.
Deletion of ForensicVM at Investigation Conclusion
Once your forensic investigation comes to an end, it’s a best practice to eliminate the ForensicVM to free up resources and maintain system hygiene. Here’s a detailed guide on how to accomplish this:
Initiate the Deletion Process
Begin by clicking the red “Delete VM” button. This action will instigate the process to remove the ForensicVM.
An additional confirmation popup box will appear to double-check your decision. This is to ensure no inadvertent deletions occur. Once again, click the “Yes” button to proceed.
If the ForensicVM is successfully deleted, a final confirmation popup will appear, mentioning the UUID of the VM that was eradicated. It serves as a record of the recently deleted VM.
Managing the Network Card to Capture and Analyse Network Traffic
By default, the forensicVM initiates with its network card disabled. This design choice is deliberate, to minimize the potential risks of activating a network card on a possibly compromised virtual forensic machine. Activating such a network card could jeopardize not only your individual computer but the broader network environment.
For many forensic investigations, an active network connection is unnecessary. When evidence is solely contained within a local device, it’s recommended to keep the network card deactivated. This approach ensures the machine’s safe operation and the security of your enterprise network or domain.
However, in certain situations, there may be a need to activate the network card. For instance, when the forensic virtual machine is deemed safe and requires an internet connection to retrieve cloud-based data—data sourced from cached cloud access credentials like those from OneDrive, Google Drive, Nextcloud, OwnCloud, etc. In such cases, the forensicVM’s network card can be enabled. This card has an
inbuilt firewall designed to block access to identified local networks while permitting internet connections. Additionally, every time the network card is toggled on or off, all inbound and outbound traffic is recorded. This leads to the creation of a Wireshark pcap file for each activation and deactivation event.
Danger
It’s paramount to treat the activation of the network card as a method of last resort. Alternatively, consider using a remotely hosted forensicVM server. The integrity of the firewall isn’t foolproof, meaning there’s always a risk that malicious software might infiltrate your network. Furthermore, a compromised machine could ping back to an attacker, potentially revealing your external IP address and inadvertently notifying a malicious actor that they are under active investigation!
To activate the network card on the forensicVM, there are two methods available. The first method involves using the Autopsy ForensicVM client plugin interface, and the second requires directly interacting with the web screen interface through the network icon.
Enable network card using the Autopsy ForensicVM Client Plugin Interface
Activate Network Card Button
Start the forensicVM machine.
Navigate to the Network Panel within the interface.
Look for the “Enable network card” button and click on it.
Enabling the network card through the Autopsy ForensicVM Client interface
Confirmation of Network Card Activation
After clicking the button, a popup window will appear to confirm the successful
activation of the network card.
Activating the network card can also be achieved via the Web Screen Interface. This method allows users to manage network settings without diving into the main software interface. Here’s how to enable the network card using the Web Screen Interface:
Activating Network through Web Screen Interface Steps
Initiate the Panel Opener (1) to reveal the available options.
Locate and click on the network icon (2) to access network settings.
Identify and click the red button labeled Enable network (caution) (3) to activate the network card.
Steps to activate the network through the Web Screen Interface
Acknowledgement of Successful Activation
Once the network card is activated, an orange notification will pop up at the top of the screen. This message serves to confirm that the network card has been successfully activated.
Notification confirming successful activation of the network card
From time to time, due to various reasons such as IP conflicts, connectivity issues, or configuration errors, it might be necessary to reset the network card. Resetting can re-establish a proper connection and can often solve common networking problems. Below are methods to reset the network card in Windows and Linux.
Windows 10
In Windows 10, the Network Troubleshooter can assist in diagnosing and resolving common network-related problems.
Navigate to the system tray located in the bottom right corner of your screen.
Right-click the network icon.
From the context menu, select the “Troubleshoot problems” option. The Network Troubleshooter will now start, and it will attempt to diagnose and resolve any detected issues.
In older versions of Windows, the process might slightly differ. Usually, there’s a network troubleshooting tool available but its location or name may vary. Check under “Network and Sharing Center” or within Control Panel for related options.
Linux
In Linux, depending on the distribution and the desktop environment, you can manage the network card through the graphical interface. However, for a more universal method:
Open a terminal.
To disable the network card (assuming it’s named eth0), type:
sudoifconfigeth0down
To enable it again, type:
sudoifconfigeth0up
Danger
Always proceed with caution when enabling the network, especially on systems that are meant for forensic investigations or are potentially compromised. It’s vital to ensure systems and network security and to be aware of the risks involved.
Enabling the network card is often crucial for forensic investigations, especially when collecting evidence from cloud services. This is particularly relevant when users have not logged out from a service or when session cookies remain in the browser. Such scenarios allow forensic investigators to trace digital breadcrumbs and gather additional evidence that may be inaccessible from offline forensic images. Below are two illustrative examples:
Gathering Data from Cloud Services - OneDrive Example
The following figure demonstrates data extraction from OneDrive, a popular online cloud service.
Gathering Data from Cloud Services - Online Storage Example
In this next example, an online file storage platform is accessed using cached credentials:
There are two primary methods to deactivate the network card on the forensicVM:
Using the Autopsy ForensicVM client plugin interface.
Directly interacting with the web screen interface.
Disable Network Card with the Autopsy ForensicVM Client Plugin Interface
Steps to Deactivate Network Card:
Ensure that the forensicVM machine is running.
Within the interface, go to the Network Panel.
Click on the “Disable network card” button.
Using the Web Screen Interface to Disable the Network Card
The Web Screen Interface offers an alternative approach for users who prefer to manage network settings without engaging with the main software interface.
Steps to Disable Network:
Activate the Panel Opener (1) to view more options.
Click on the network icon (2).
Press the green Disable network (3) button to turn off the network card.
Process to disable the network card using the Web Screen Interface
A Windows Explorer window will prompt you to select a save location for the pcap.zip file. It’s recommended to maintain the default save path, which is typically set to the image case folder.
The download progress will be displayed, indicating the time required to complete the download. This duration can vary depending on the size of the pcap.zip file.
Analyzing network traffic is an integral part of digital forensic investigations, especially when attempting to reconstruct a sequence of events or identify malicious activities. Using a tool like Wireshark to analyze traffic from a forensic image virtual machine can provide investigators with a wealth of information. However, this approach comes with its advantages and potential pitfalls.
Importance of Analyzing Traffic in Forensic Investigations
Evidence Collection: Analyzing traffic can reveal communication with suspicious IP addresses, hinting at potential data exfiltration or command-and-control servers.
User Behavior: Network traffic can provide clues about user behavior, including sites visited, files downloaded, or apps used.
Timestamps: Traffic analysis can help in reconstructing timelines of events, crucial for correlating actions across different evidence sources.
Detect Malware: Unusual network traffic patterns can be indicative of malware communication.
Advantages
Comprehensive Data View: Wireshark offers a detailed view of packets, allowing forensic investigators to delve deep into the network interactions.
Filtering and Searching: With its advanced filtering options, investigators can isolate relevant data quickly.
Decoding Protocols: Wireshark can decode a vast array of protocols, aiding in understanding the specifics of network conversations.
Visualization: Graphical features like flow graphs help in visualizing communication patterns.
Dangers
Data Overload: The volume of data in pcap files can be overwhelming, and without proper focus, important details might be missed.
Privacy Concerns: Analyzing traffic can inadvertently capture personal or sensitive information of innocent users.
Tampered Data: If the forensic image virtual machine is compromised, the network data might be tampered with, leading to incorrect conclusions.
Misinterpretation: Without proper expertise, normal traffic can be misinterpreted as malicious or vice versa.
Note
While Wireshark is a powerful tool for forensic investigations, it’s essential to approach the analysis with a clear understanding of the goals, the data’s context, and the potential pitfalls. Proper training and experience can help in maximizing the benefits of traffic analysis while minimizing risks.
Given the complexity and subtleties involved in network traffic analysis, it’s recommended that forensic investigators continuously update their training and remain informed about the latest techniques and threats in the domain.
After extracting the pcap files, the next step is to analyze the network traffic captured during the period the network card was active. Here’s how to proceed:
Navigate to the extracted pcap directory. If Wireshark isn’t installed on your system, visit wireshark.org to download and install it. Once installed, Wireshark-associated icons will appear next to each pcap file.
The Wireshark interface will open, displaying the captured traffic. Adjust the view settings and apply filters as required based on your forensic goals.
.. raw:: latex
FloatBarrier
The following is an example of network traffic analysis with a focus on cloud traffic.
Analyzing pcap files requires a sound understanding of network traffic patterns and potential security threats. It’s crucial to interpret the data accurately to avoid misleading conclusions.
Media Management in ForensicVM: Leveraging ISOs for Enhanced Forensic Investigations
In forensic investigations, the ability to access and utilize a wide array of specialized tools is of utmost importance. Different cases present unique challenges and often require specific utilities or software to effectively extract, analyze, or visualize evidence. ISO files, serving as encapsulations of entire file systems, are adept at housing a myriad of these specialized tools, thereby ensuring forensic professionals are always equipped with the right utilities.
The management and utilization of ISO files within ForensicVM is precisely tailored to meet the multifaceted demands of modern forensic investigations. Herein, a meticulously crafted procedure allows investigators to seamlessly navigate, upload, select, insert, eject, delete, and even boot from these ISO files. This integration ensures that forensic experts are never bound by just the in-built tools in ForensicVM, offering the flexibility to dynamically introduce and employ auxiliary resources as the situation demands.
From a safety vantage point, employing ISOs within a virtual domain like ForensicVM comes with its set of undeniable perks:
Network Isolation: Leveraging tools from ISOs eliminates the need for network connectivity. This not only curtails risks associated with internet connectivity but also guarantees that neither evidence nor the operating environment is inadvertently compromised owing to network-centric threats or malware.
Protective Shield: Operating tools within ForensicVM’s virtual periphery ensures the host system and its network remain insulated from looming threats. Any potentially malignant operations remain confined to the virtual environment, thereby preserving the sanctity of the primary forensic setup.
Evidence Preservation: Operating in a controlled ambit significantly reduces risks associated with evidence contamination or inadvertent alterations. The sacrosanct nature of evidence remains unchallenged, a pivotal aspect for its admissibility in legal arenas.
ForensicVM’s adeptness at ISO management not only broadens the forensic toolkit available to investigators but also accentuates the safety, security, and integrity quotient of the investigative process. This section unravels the nuances of these operations, offering insights into harnessing the full might of ISOs in your forensic pursuits.
In the realm of digital forensics, every tool and capability at an investigator’s disposal can be the difference between uncovering critical evidence or hitting a dead end. ISO files, in particular, offer a versatile medium to house a myriad of investigative utilities. With ForensicVM, managing and utilizing these ISO files becomes a straightforward endeavor, optimizing both efficiency and efficacy. Here’s an overview of the key operations:
Browse and Upload ISO: Discover how to navigate the interface to select and upload essential ISO files to the ForensicVM environment.
Select ISO / Web Select CD-ROM: Instructions on choosing the right ISO file or CD-ROM from the Autopsy ForensicVM Client Plugin or from the web interface.
List Remote ISO Files: Get an overview of all ISO files stored remotely on the ForensicVM server.
Insert ISO / Web Insert CD-ROM: Learn how to virtually insert an ISO file or CD-ROM for access within the virtualized forensic image, from the Autopsy ForensicVM Client Plugin or from the web interface.
Eject ISO / Web Eject CD-ROM: Step-by-step guidance on safely ejecting a mounted ISO file or CD-ROM, from the Autopsy ForensicVM Client Plugin or from the web interface.
Delete ISO: Understand how to remove ISO files that are no longer needed, ensuring a clutter-free workspace.
Bootable Media: Dive into the specifics of booting from an ISO or CD-ROM, a critical capability for certain forensic tasks.
Proceed to the relevant subsections for detailed instructions and best practices to make the most of the media management features in ForensicVM.
When conducting a forensic investigation, specialized tools are often required to aid in the extraction or analysis of data. Many of these tools are conveniently bundled into ISO files. With ForensicVM, you can seamlessly upload these ISO files, making them readily accessible for your investigation tasks. Here’s a step-by-step guide to doing so:
Step 1: Access the Media Panel
Navigate to the Autopsy VM and locate the ForensicVM Client Plugin.
The upload process might take some time, depending on the size of the ISO file. There’s no progress bar available currently, so please be patient and wait for a confirmation message to appear, indicating a successful upload.
During the upload process, the Autopsy ForensicVM Client Plugin might become unresponsive. This is expected behavior. Please wait patiently until the upload completes.
Step 5: Verify the Uploaded ISO
Once uploaded, you should be able to see the ISO file listed in the ISO Management section of the ForensicVM server. This ensures your tools are now ready to be utilized in your ongoing investigation.
When investigating digital evidence, it’s crucial to maintain a catalog of tools and resources available for the task. ForensicVM facilitates this by allowing users to store ISO files remotely on its server. This section outlines the procedures to access and view this list of remotely stored ISO files.
There are two primary methods to view these files:
Being able to virtually insert an ISO file or CD-ROM into the virtualized forensic image is pivotal during a digital investigation. Different tools and utilities can be loaded on the fly without compromising the integrity of the original image. This flexibility speeds up the forensic workflow and allows investigators to adapt to different scenarios quickly. The following sections guide you on how to accomplish this task using either the Autopsy ForensicVM Client Plugin or the web interface.
After successfully uploading and inserting an ISO into the virtualized forensic environment, the next step is to leverage the tools within. This section will guide you through accessing and utilizing the programs and utilities contained in the ISO.
Step 1: Locate the Virtual CD-ROM Drive
Once you’ve inserted the ISO as a virtual CD-ROM, navigate to your operating system’s file explorer or equivalent.
Locate the virtual CD-ROM drive which should appear similar to a physical CD-ROM drive.
Inside the virtual CD-ROM content, sift through the directories and files to locate the specific program or tool you intend to run.
Once found, initiate the program or utility. Depending on the nature of the tool, you might have to run it as an administrator or follow specific launch procedures.
Each forensic tool or utility will have its set of instructions, either embedded within its interface or provided as a separate README file.
Follow these instructions meticulously to ensure accurate and efficient processing.
Should your investigation involve extracting or marking potential evidence, utilize the “Possible Evidence” virtual drive. This virtual drive is specially designed within ForensicVM to store and segregate potential pieces of evidence without contaminating the original data.
There are instances during a forensic investigation where analysts may need to interact directly with the operating system or leverage specific tools that necessitate booting into a virtual machine (VM). ForensicVM’s virtual CD-ROM drive has a unique characteristic: it can only accept CD-ROM insertions when the VM is running.
The booting process of a CD-ROM involves the following steps:
Boot into the operating system or access the BIOS/UEFI screen.
Insert the virtual CD-ROM into the drive.
Perform a reboot or reset operation.
Access the BIOS or UEFI by pressing the “ESC” key.
Navigate to the boot device selection menu and confirm your choice.
Method 1: Boot from Virtual CD-ROM Post-OS Bootup (BIOS showcase)
Step 1: Boot into the Operating System
Initiate a boot sequence and load the operating system.
Tip
While the example showcases a user login, you don’t necessarily need to log in. Simply booting into the operating system is sufficient.
From the available boot options, select the corresponding number for the virtual CD-ROM or DVD-ROM drive. For instance, in the example given, you’d press “4”.
If the operations proceed without hitches, the virtual media will boot. Depending on the media’s nature, it might present a selection menu or lead straight to its primary function.
With the ISO booted, you can now access and employ the forensic tools contained therein, tailoring your investigative approach based on the utilities available.
Deleting an ISO file through this method does not prompt any confirmation dialog. Proceed with caution. It’s assumed that users have the original ISO file stored elsewhere (e.g., on their local computer) and can re-upload it if necessary.
Snapshots in ForensicVM: A Crucial Asset for Investigators
Why snapshots are so important for a forensic investigation
In the dynamic realm of digital forensics, the ability to preserve, replicate, and revert to specific states of digital evidence is paramount. Snapshots in ForensicVM offer this essential capability. Here’s an in-depth look at why snapshots are indispensable for forensic investigators:
The base snapshot or sometimes referred to as the ‘first snapshot,’ is a reflection of the initial state of a system or a piece of evidence. Just as a crime scene investigator would secure a scene to ensure no contamination occurs, in digital forensics, the base snapshot acts as that secured, untouched crime scene. It represents the data in its original, unaltered form, enabling investigators to always have a pristine reference point.
Digital evidence, by its very nature, is volatile. A single action, intentional or accidental, can alter the evidence, possibly rendering it inadmissible in court. Snapshots act as safety nets. Should the evidence be unintentionally modified or corrupted, investigators can easily revert to a previous snapshot, ensuring the integrity of the evidence remains uncompromised.
Forensic investigation often involves a series of “what-if” scenarios. Investigators may want to test a hypothesis or simulate actions that a suspect might have taken. With snapshots, these simulations can be executed without the risk of permanently altering the evidence. After an analysis, the system can be reverted to its original state using the snapshot, ready for another hypothesis to be tested.
Documentation and Chain of Custody: Every snapshot can serve as a documented step in the investigative process, aiding in maintaining a clear chain of custody.
Efficiency and Speed: Instead of restoring from backups or original sources, which can be time-consuming, snapshots allow for quick reversion, making the investigative process more efficient.
Risk Mitigation: Especially in complex cases involving malware or unknown data structures, snapshots provide a safety mechanism, allowing investigators to explore without risking the primary evidence source or the investigation platform.
Note
Working with Snapshots and ForensicVM
Before diving into the functionalities associated with snapshots, it’s crucial to understand a fundamental prerequisite: the ForensicVM needs to be up and running. Snapshots essentially capture the state of a virtual machine at a specific point in time. As such, to make the snapshot meaningful and functional, the ForensicVM has to be in an operational state.
If you haven’t started your ForensicVM yet, please do so by following these steps:
Open the Autopsy ForensicVM Client: Ensure that you have the client interface open and accessible.
Locate the ‘Start’ Option: Within the interface, navigate to the main control panel where you have options to ‘Start’, ‘Stop’, ‘Shutdown’, etc., for the ForensicVM.
Initiate the ForensicVM: Click on the ‘Start’ option to boot up the ForensicVM. It might take a few moments for the virtual machine to initialize and be fully operational.
Once the ForensicVM is running, you can proceed with snapshot-related tasks, ensuring accurate capture and representation of the virtual machine’s state.
It is highly recommended to create your first snapshot immediately after the machine begins its booting process. Doing so preserves the initial state of the ForensicVM, making it easier to revert back to a clean state at any time during your investigation. Snapshots can be invaluable during forensic investigations, especially when you need to return to a specific point in time or recover from potential mistakes.
Create a snapshot
Open the Autopsy ForensicVM Client: Ensure you have the Autopsy ForensicVM Client interface launched and ready.
Navigate to Snapshot Management: This section is dedicated to creating, viewing, and managing snapshots of your ForensicVM.
Initiate Snapshot Creation:
Click on the “Create new” button located within the Snapshot management area.
A visual representation of the ‘Create new’ button used for initiating a snapshot creation in the Autopsy ForensicVM Client interface.
Once you’ve successfully created a snapshot, it will be saved and listed in the Snapshot management section. You can then access this snapshot whenever needed to revert your ForensicVM to that particular state.
While the Autopsy ForensicVM Client interface typically auto-updates to display all available snapshots, there may be occasions where the list isn’t refreshed in real-time. In such scenarios, it’s beneficial to use the “List Remote Snapshots” feature to manually fetch and view the list of all remote snapshots associated with the current ForensicVM.
List snapshots
1. Open the Autopsy ForensicVM Client: If not already open, launch the Autopsy ForensicVM Client interface to access the snapshot management features.
Navigate to the Snapshot Management Area: This section provides tools and options related to creating, viewing, and managing snapshots of your ForensicVM.
Manually List Remote Snapshots:
Look for the “List Remote Snapshots” button. This button is specifically designed to fetch the list of snapshots from the remote server and display them within the interface.
Click on the “List Remote Snapshots” button to initiate the listing process.
A visual guide highlighting the ‘List Remote Snapshots’ button within the Autopsy ForensicVM Client interface.
Once clicked, the interface should update and display all the remote snapshots associated with the current ForensicVM. If any issues persist, ensure that the ForensicVM Client has proper network access and permissions to communicate with the remote server.
I’ve expanded on the process by offering a bit more context and breaking down the steps in a detailed manner.
If you ever find yourself needing to undo changes and revert the forensicVM to a previous state, the snapshot functionality is a powerful tool that allows you to do so. Here’s a step-by-step guide to help you navigate the rollback process.
Steps to Reverse to a Snapshot
Locate the Desired Snapshot:
Snapshots are typically named in the format snap-YYYY-MM-DD_HHMMSS.
Browse through the list and find the snapshot that represents the state you wish to revert to.
Click on the intended snapshot. Once selected, it will be highlighted with a blue background and a white foreground, indicating your selection.
Initiate the Rollback:
With the desired snapshot selected, locate and click the rollback button.
Warning
Potential Issues & Solutions:
At times, the rollback process might not go as smoothly as intended. Here’s what to do if you encounter issues:
Stalled ForensicVM: If the forensicVM doesn’t return to its previous state or appears to be stalled:
1. Use the Reset VM option to reset the virtual machine.
2. Once reset, attempt the Rollback action again to revert to the desired state.
Undoing the Rollback: Regrettably, once a rollback has been executed, it is irreversible. This means that the state of the forensicVM just prior to the rollback will be permanently lost.
Best Practice Recommendation:
Before initiating a rollback, it’s highly recommended to create a new snapshot of the current state. This way, if you later decide you want to revert to the state that existed just before the rollback, you’ll have that option available. Simply rollback to the snapshot you took immediately before executing the rollback.
Remember, handling snapshots requires care, as they represent specific points in time of the ForensicVM’s state. Always ensure that you’ve selected the correct snapshot before initiating a rollback.
Snapshots can become redundant or unnecessary over time, and you might want to reclaim some storage space. Deleting a snapshot will free up this space without affecting the current state of your forensicVM. Here’s a step-by-step guide:
Select the Snapshot:
In the list of snapshots, click on the one you wish to delete. The selected snapshot will be highlighted, indicating your selection.
Navigate to the *Danger Zone!* Section:
Once you have the desired snapshot selected, move to the section labeled “Danger Zone!”.
Initiate the Deletion:
Find and click on the button labeled Delete ???.
A confirmation popup will appear to ensure that you truly want to delete the selected snapshot. If certain, proceed by pressing the “OK” button.
Snapshot Deletion Interface
Warning
Always double-check the snapshot you are deleting. Once deleted, it cannot be recovered. It’s a good habit to ensure you have backups or other necessary snapshots before deleting any.
Snapshots in ForensicVM are not just a feature; they are a cornerstone of effective and responsible digital forensic investigations. They safeguard evidence, enable exploratory analysis, and provide peace of mind to investigators, ensuring that the quest for truth remains both accurate and uncompromised.
Plugins serve as a vital component of the forensicVM, offering an array of capabilities that can greatly assist forensic investigators. Often, forensic investigators encounter forensicVM machines that are locked or protected by certain security measures, making it difficult to access them. One common scenario is where the forensicVM is locked behind a user account, with the suspect not revealing the password. Plugins provide methods to bypass these protections.
The suite of plugins specifically designed to bypass authentication includes:
Add Windows Forensic Admin:
This plugin creates a new Windows admin user under the “Administrator” group. The credentials for this user are:
Username: forensicAdmin
Password: forensicAdmin
The newly created user can also be used to reset the password for any local account.
Add Linux Forensic Admin:
Creates a new Linux user with the following credentials:
Username: forensicAdmin
Password: forensicAdmin
This user is granted ‘sudo’ permissions, allowing elevated access.
Patch Accessibility:
A strategic patch that enables forensic administrators to invoke a system-level cmd.exe prompt. This can be triggered by pressing the shift key five times consecutively on the Windows login screen.
Bypass Windows Password:
This plugin patches the “ntlmshared.dll” file, effectively allowing a bypass of Windows authentication. While the login screen will accept any password entered, it will still utilize the cached user password hash. This is particularly crucial when trying to access encrypted auto-mounted BitLocker files that depend on the original user’s credentials for access.
Apart from authentication bypass, there are plugins designed to circumvent other security measures:
Disable Windows Defender and Firewall:
Certain external security tools like NirSoft or Mimikatz necessitate the deactivation of antivirus programs. This plugin disables both Windows Defender and the firewall to accommodate such tools.
Reset Windows 2003 or XP Activation:
This is required for instances where a forensic investigator needs to access machines that are awaiting activation, like Windows 2003 or XP. The plugin resets the activation to allow unobstructed login.
BOOTFIX: Disable Driver Enforcement:
When working with older systems or in scenarios where you’ve converted a forensic image, you might encounter certain constraints related to driver signatures. The “Disable Driver Enforcement” utility addresses these challenges:
Allow Unsigned Drivers: By default, many operating systems, especially modern ones, enforce driver signing for security reasons. Disabling this enforcement lets you run unsigned drivers. This can be particularly handy for running drivers like virtio on older systems.
Support for Programs Using Unsigned Drivers: Some utilities or programs require the use of unsigned drivers. Disabling the driver enforcement provides flexibility to run these applications without any hitches.
Blue Screen Issue Resolution: After converting a forensic image, systems may sometimes experience the infamous Blue Screen of Death (BSOD) due to driver issues. This tool can assist in resolving those problems by ensuring that all drivers, even the unsigned ones, can run without any enforcement barriers.
Note
While these plugins provide powerful capabilities, they should be used responsibly and ethically. Misuse could lead to unintended consequences or legal issues.
Forensic investigations often require an adaptable approach, and the ability to extend functionality through plugins makes the ForensicVM tool particularly versatile. To stay updated with the latest available plugins or to review the catalog of installed plugins, the Autopsy ForensicVM Client provides an easy-to-use interface.
Steps to List Available Plugins
Navigate to the ‘Plugins’ Tab:
Open the Autopsy ForensicVM Client and access the Plugins tab. This tab consolidates all plugin-related functionalities, making it easier to manage and deploy extensions.
Refresh the Plugin List:
To get the most recent list of plugins, simply click on the List Remote Plugins button. This action fetches and displays all available plugins from the remote repository, ensuring you’re working with the latest toolset.
The capability to execute plugins enhances the versatility of the ForensicVM, allowing for specialized tasks and bypassing certain security measures. However, prior to running any plugin, precautions are necessary to ensure the integrity of the investigation and to minimize potential issues.
Important
Pre-plugin Execution Recommendation:
Before initiating any plugin, it is imperative to capture the current state of the machine using a snapshot. This provision safeguards against any unintended or adverse actions by the plugin, facilitating a revert to the original state if necessary. Start the machine, create a snapshot, and then proceed to shut down the ForensicVM.
Procedure to Execute a Plugin:
Ensure ForensicVM is Stopped:
Before running any plugins, verify in the VM control area that the forensic virtual machine is in a stopped state.
Select the Desired Plugin:
Navigate to the plugin management area and designate the specific plugin you intend to run.
Execute the Selected Plugin:
Initiate the plugin execution by pressing the Run Selected Plugin button.
Review the Plugin Output:
Post execution, it’s vital to inspect the results and logs. These can be found within the Output Console tab.
For the integrity of the process, always ensure a complete shutdown of the ForensicVM before executing any plugins. In the context of Windows, pressing the shift key while initiating the shutdown ensures the machine isn’t placed in hibernation and undergoes a full shutdown. This step is crucial as hibernation can interfere with the functionality of certain plugins and the snapshot reverting process.
Join the Community Plugins Project and Shape ForensicVM’s Future!
The Community Plugins Project for AutoPsy ForensicVM is an open initiative aimed at driving innovation and enhancing the functionalities of the ForensicVM tool. As a community-driven platform, we invite individuals from all backgrounds to contribute. Whether you’re a seasoned developer, a forensic investigator with a penchant for coding, or a user with an innovative idea, your input can make a difference!
If you’ve developed a new plugin or made improvements to existing ones, follow these steps to contribute:
Fork the Project: Fork the main repository to create a personal copy you can work on.
Commit Your Changes: Make your changes, ensuring they adhere to the project’s coding standards and best practices.
Suggest a Merge: Once ready, submit a pull request. Our team will review your code, and if it meets our quality standards, it will be merged into the next release.
If you have ideas for new plugins, features, or improvements, but aren’t looking to code them yourself, you can still contribute:
Open an Issue: Navigate to the Issues section on our GitHub page.
Describe Your Idea: Provide as much detail as possible. This helps in understanding and potentially implementing your suggestion.
Engage with the Community: Once your issue is posted, community members might join the discussion, providing feedback, insights, or offering to develop your idea.
Note
Collaboration is the backbone of open-source projects. By sharing ideas, providing feedback, or contributing code, you’re not just enhancing a tool; you’re building a community.
Recording and maintaining a chain of custody in digital forensics is paramount to ensuring the integrity and veracity of digital evidence. When it comes to making comments or annotations about the custody of particular items, it is essential to have a robust system in place that captures these comments accurately and provides mechanisms for their retrieval. The following elaborates on the importance of such a system:
By having a system that records all chain of custody comments, it ensures transparency in the process. If there are any questions about how evidence was handled, one can refer back to the comments made at any given point in time. This keeps all stakeholders accountable.
For any digital forensic evidence to be admissible in court, the chain of custody must be clearly documented. A system that saves comments regarding custody and allows for their retrieval ensures that this requirement is met.
Multiple investigators may handle a piece of evidence. By having a centralized system for comments, it ensures that all investigators have access to the same information, promoting consistency in the process.
Within ForensicVM, investigators have the capability to take snapshots and add comments at various stages of their analysis. If any errors are made regarding the custody of evidence or during the investigation, these snapshots provide a safe point to which investigators can roll back. This ensures that mistakes can be swiftly corrected without affecting the integrity of the ongoing analysis. Furthermore, the ability to review comments alongside these snapshots can assist investigators in pinpointing exactly where the mistake occurred, providing valuable insights for learning and improvement in future investigations.
Chain of Custody: Document, Save, and Download as DOCX
Open the chain of custody web modal popup by clicking on the designated button and enter your comment in the textbox provided. Once done, click the button to submit your comment to the database.
Open the chain of custody web modal popup and submit comment
Review the downloaded chain of custody report. The report will display details such as the user, date, action, parameters of the action, UUID of the forensicVM, and the IP address of the user.
Virtual introspection, a pioneering feature in ForensicVM, revolutionizes the way forensic analysts, IT professionals, and cybersecurity experts interact with and analyze virtual machines. This tool is indispensable for in-depth digital investigations and cybersecurity assessments, as it provides an exhaustive and unobstructed view into the virtual machine’s operating environment. Through virtual introspection, users can meticulously examine real-time processes, command line executions, memory-loaded files, active handles, and the entire system’s status, gaining critical insights that are often elusive in traditional analysis.
The power of virtual introspection in ForensicVM is harnessed through the advanced capabilities of QEMU, an esteemed open-source machine emulator and virtualizer. QEMU’s sophisticated technology enables the creation of precise memory snapshots of the virtual machine at any given instance. These snapshots encapsulate the VM’s exact state at the moment of capture, providing a rich dataset for thorough forensic examination. To analyze these memory snapshots, ForensicVM integrates Volatility 3, a state-of-the-art memory forensics framework known for its robust analytical tools and detailed insights. Volatility 3 processes the captured data, uncovering intricate details about the VM’s internal operations and activities.
The integration of virtual introspection in ForensicVM represents a significant leap in virtual machine forensics. It not only simplifies the investigative process but also elevates the depth and quality of the analysis. Whether it’s uncovering hidden processes, detecting signs of malware, or exploring system anomalies, virtual introspection equips users with the necessary tools to conduct comprehensive and efficient examinations. This capability is especially crucial in today’s digital landscape, where virtual environments are increasingly complex and security threats are constantly evolving.
As the digital world continues to expand and evolve, tools like virtual introspection in ForensicVM become essential for maintaining cybersecurity and understanding the intricacies of virtual systems. Its ability to provide detailed snapshots and in-depth analysis of the Windows operating system makes it an invaluable asset for any professional dealing with digital forensics, cybersecurity, and IT management. By staying ahead with such advanced technologies, ForensicVM ensures that its users are well-equipped to face the challenges of modern digital forensics and cybersecurity.
The current iteration of ForensicVM’s virtual introspection is specialized and optimized exclusively for Windows operating systems. This focus is not without its limitations, particularly in its exclusion of Linux operating systems. While the specialized design for Windows ensures that the tool is precisely attuned to the distinct characteristics and complexities of Windows environments, enhancing its effectiveness and accuracy, it does mean that users working with Linux systems are currently unsupported.
Starting Virtual Introspection:
To begin virtual introspection, first run the forensicVM until the operating system has fully booted. Then, press the ‘Virtual Introspect’ button located on the forensicVM web client interface:
Screenshot of the Virtual Introspect button in the forensicVM web client
Once you press the button, a progress window will appear. This window will automatically display the results of the introspection process upon completion.
Progress window for Virtual Introspection in forensicVM
Components of ForensicVM Introspection:
The ForensicVM introspection process comprises seven informative tabs:
Process Tree: Displays a list of all active processes within the system, providing insight even when the forensicVM is locked on the login screen.
Command Line Arguments: Shows the commands and arguments that are or were being executed in the system.
Command Line Arguments tab in ForensicVM Introspection
Environment Variables: Lists the environment variables associated with each running process.
Environment Variables tab in ForensicVM Introspection
Possible Malware Injection Processes: Identifies processes that may have been injected or run with elevated privileges, which could suggest malware activity but also include false positives.
Possible Malware Injection Processes tab in ForensicVM Introspection
Netscan Results: Provides a list of open network connections, which can be indicators of compromise, especially if connections to known malicious sites are detected.
Possible User Password Hashes: Displays password hashes found in memory. These hashes can be analyzed further on external platforms like crackstation.com to potentially uncover user passwords.
Possible User Password Hashes tab in ForensicVM Introspection
Example Case:
An example is provided where the Bart Simpson hash is decoded to reveal the original password, “bart.”
The conversion of a forensic image into a ForensicVM generates a configuration file in the background. This file encompasses various configuration parameters for the forensic virtual machine, such as memory size, attached disks, UEFI boot options, and more. The “Fine-Tuning” section within the Autopsy ForensicVM Client interface facilitates adjustments to certain parameters—currently, the ForensicVM’s memory size and its start date & time.
Modifying Memory Size:
Navigate to the “Fine-Tuning” section in the interface.
Use the slider to adjust the memory size as desired.
Click the “Change” button to save your selection.
For the changes to take effect, shut down the ForensicVM and then start it again.
Note
Merely restarting the VM will not apply the memory adjustments. It’s imperative to shut down and then start the VM afresh.
Setting the VM Date & Time:
Enter the desired date and time in the format YYYY-MM-DD T HH:MM:SS. Note the T divider between the date and time components.
Press the “Set” button to save the new start date & time for the VM.
Again, to apply this change, shut down and then start the ForensicVM.
Below is an illustration showcasing both the memory size adjustment slider and the VM date & time setting option:
Fine-Tuning memory size and setting ForensicVM start date & time
For enhanced remote server administration, a webshell has been crafted based on the shellinabox project which has been adapted into a Django application. This allows secure root access to the server, making it an invaluable tool for troubleshooting and remote server management tasks.
Accessing the WebShell:
There are two primary methods to access the WebShell:
Through the Autopsy ForensicVM Client Plugin:
Within the plugin interface, click on the Open ForensicVM WebShell button. This action will open the WebShell in your default browser.
WebShell accessed via Autopsy ForensicVM Client Plugin
Via the ForensicVM Main Web Interface:
Navigate to the main interface and click on the Shell link to access the WebShell.
WebShell accessed via ForensicVM Main Web Interface
WebShell Interface:
Upon accessing the WebShell, users will encounter an interface resembling the following:
Note
The WebShell provides a direct and secure interface to the server. However, ensure to logout after your session to maintain security.
Netdata is a tool that helps watch over servers and apps in real-time. With ForensicVM Server, Netdata shows how the server is doing and makes sure everything runs smoothly.
This appendix details the ForensicVM Case Study and Challenge, which is designed to highlight the differences between the evidence collected by dead-box forensics and live-forensics in a virtualized environment. The data set was created with VirtualBox and features a Windows 11 Pro environment equipped with various local and cloud applications. The image was captured using the FTK Imager in Expert Witness Format (EWF).
Virtualisation is required to extract vital evidence.
Bypassing the ‘Bart’ password is necessary to access the applications.
Existing passwords within the data set must remain unchanged to maintain the integrity of the challenge.
The Bart windows password is simple, but the challenge encourages ethical hacking skills to bypass or decrypt it.
The following steps provide a structured approach to tackle the ForensicVM challenge:
Utilise dead box forensics techniques in autopsy software to attempt full data retrieval from cloud applications and local applications. Document all findings.
Virtualize the forensic image using the autopsy ForensicVM plugin.
Attempt to identify and bypass the Bart password to gain access to the applications.
Run the ForensicVM
Without internet access, systematically extract information from each application cloud and local application. Document all findings.
Enable internet access and repeat the information extraction process, noting any differences.
Record any additional information obtained after establishing an Internet connection.
Identify and document information related to the two financial applications present in the environment.
Extract and analyse data related to cryptocurrency.
Create a comprehensive chain of custody for all investigative actions taken.
Conduct and document a memory dump and network traffic dump.
Capture all investigative actions via video and take screenshots for evidence support.
For further information, refer to the ForensicVM Autopsy Plugin User Manual available at:
The resolution of the digital forensic challenge began with the establishment of a new case within the forensic autopsy software. The initial phase involved the creation of a case as captured in Figure Fig. 252.
To facilitate analysis, host information was generated as shown in Figure Fig. 255, which helps align the investigative environment with the specifics of the case.
The subsequent step was to select the disk image or VM file that contained the forensic evidence, ensuring that the correct data source was incorporated into the investigation (Figure Fig. 256).
The timezone configuration is critical for accurate timestamp analysis; therefore, the forensic image path was established and the timezone was adjusted to Europe/Lisbon as part of the configuration process (Figure Fig. 257).
Configuring the Forensic Image Path and Timezone
:label: fig:autopsy_0006
For initial data processing, ingest plugins were selected, specifically ‘Recent Activity’ and ‘Picture Analyser’, to extract relevant user activities and image-related evidence (Figure Fig. 258).
The investigator then waited for the completion of the addition of the data source, monitoring the progress to ensure successful incorporation into the case (Figure Fig. 259).
Exploration within the “Os accounts” section yielded security answers that were potential avenues for password bypass efforts, with all answers being “textbf{bart}”, which could provide a breakthrough in the case (Figure Fig. 261).
In the process of forensic analysis, the discovery of the password ‘textbf{Lisa@Springfield}’ via the Autofill feature in the Autopsy Web form represents a pivotal development. This password is a critical piece of evidence for the case, as it could potentially grant access to restricted areas that may contain further information or clues. The uncovering of this password, as displayed in Figure Fig. 262, underscores the importance of thorough examination of digital artefacts which may hold vital information within a forensic investigation.
Moreover, the identification of specific applications such as Eraser 6.2.0.2993, which is designed for secure file deletion, and HomeBank 5.7.1, a personal finance application, can offer valuable insights into the suspect’s actions and intents. As depicted in Figure Fig. 263, the presence of these applications may suggest attempts to conceal activities or manage finances in a way that is pertinent to the investigation.
Applications of Interest Including Secure File Deletion and Personal Finance Management Tools
The further discovery of Money Manager Ex v.1.6.4, another financial management tool, as indicated in Figure Fig. 264, reinforces the financial angle of the user’s activity profile. This could be integral to constructing a narrative regarding the suspect’s financial dealings or motivations.
Additional Financial Application Money Manager Ex Indicating In-Depth Financial Activities
Lastly, the opening of a financial database named example.xhb from the HomeBank files, as shown in Figure Fig. 265, further corroborates the financial dimension of the investigation. This particular file may contain transaction records, budgets, or other financial data which could be analysed to provide a clearer understanding of the suspect’s financial behaviour or potential illicit activities.
Opened Financial Database example.xhb Revealing Recent User Activities with Financial Data
The discovery of the example.xhb database in XML format, as depicted in Figure Fig. 266, adds a layer of complexity due to the proprietary structure of the file. This could imply that special attention must be paid to decipher the data structure to interpret the financial information contained within. The proprietary nature of the format might necessitate the use of specific tools or methods to extract and analyse the data accurately.
Proprietary XML Structure of the example.xhb Database
The identification of cloud applications in the forensic investigation is critical as it may provide insight into data that is not stored locally on the device. The accounts discovered through the Autopsy software, including GitHub, live.com, discord.com, and evernote.com, extend the potential for finding evidence to the cloud. The presence of these services as shown in Figure Fig. 267, suggests a broad range of user activity, from software development and project management to personal communication and note-taking, which could be relevant to the case.
Overview of Cloud Applications Uncovered in Autopsy
Tagging folders related to financial applications within Autopsy helps in organising evidence and highlights the importance of financial data in the investigation. As illustrated in Figure Fig. 268, tagging these folders ensures that relevant information is easily accessible and distinguishable from other unrelated data, facilitating a more efficient investigation process.
Tagging of Folders Pertaining to Financial Applications
The creation of an Autopsy HTML report is a critical step for documenting the investigation, offering a comprehensive and accessible format for presenting the findings. The series of figures, from Figure Fig. 269 to Figure Fig. 273, encapsulate various aspects of the report, from the general overview to specific details regarding data sources and tagged items.
Detailing the Data Source ‘bart.E01’ within the HTML Report
Autopsy HTML Report Showing Tagged Items and Analysis Results
Compilation of All Results in the Autopsy HTML Report
Report Detailing Found Cloud Applications and Associated Usernames
Local applications and those identified as relevant through tagging were systematically documented within the Autopsy report as well. This incorporation of tagged local and cloud applications allows for a more comprehensive review of the software environment of the system under investigation (Figure Fig. 274).
Tagged files depicting local and cloud applications within Autopsy
Live forensic with ForensicVM - Phase 1: Network disabled
The commencement of live forensics entails the virtualization of the forensic image, utilizing the capabilities of the ForensicVM server and client infrastructure.
The initial step involves initiating the ForensicVM client ingest module via Autopsy, as illustrated in Figure Fig. 275.
Subsequently, a comprehensive virtualization of the image was executed. Utilizing the command textbf{Virtualize - a) Convert to VM}, a duplicate of the forensic image is created. This process entails altering the hardware abstraction layer by incorporating virtio optimized drivers, culminating in the creation of a ForensicVM, as depicted in Figure Fig. 276, Figure Fig. 277, and Figure Fig. 278.
The recovery questions were noted to be identical (textbf{bart}), prompting an attempt to use them as the password. This strategy proved effective due to the recovery questions being set identically to the password, as shown in Figure Fig. 279.
Access was successfully gained to the Bart desktop, which featured a wallpaper indicating potential malicious intent with the message “I will hack Springfield…,” as seen in Figure Fig. 280.
The desktop was populated with numerous icons, one of which was for the Evernote cloud application. Activating this icon initiated Evernote, within which several recent notes were apparent: Extra images, Secret nuclear plants, Bart Simpson Passwords, and My pass, as illustrated in Figure Fig. 281.
In the forensic investigation within the Evernote application, a notebook titled textbf{Bart secret plans} containing three notes was identified. The procedure to export these notes to the forensicVM evidence drive is crucial, as illustrated in Figure Fig. 282.
The notes were then methodically stored in a subfolder named Evernote, located within the Cloud_applications tag in Autopsy. The textbf{Bart secret plans} file was exported to this specific folder, detailed in Figure Fig. 284.
The export procedure was repeated for another notebook titled textbf{Primeiro bloco de notas}, which was also moved to the Evernote folder on the evidence disk, as depicted in Figure Fig. 286.
Exporting ‘Primeiro bloco de notas’ from Evernote
Investigation revealed that the bart secret plans notebook was shared by a user named Nuno Mourinho, which may indicate collaborative or shared use of the contents, as evidenced by Figures Fig. 287 and Fig. 288.
Shared user detail for ‘bart secret plans’ notebook
Notebook sharing information indicating ‘Nuno Mourinho’
Additionally, the Evernote trash was scrutinized, and it was confirmed that no notes had been deleted, as shown in Figure Fig. 289. The absence of deleted notes might suggest that the user did not attempt to remove evidence or considered the contents of the notes to be non-incriminating.
The forensic analysis included the observation of software behavior in a controlled environment. The Discord application displayed a notification for an update, which could not be completed due to a lack of internet connectivity, leaving the application in a state of limbo as depicted in Figure Fig. 290.
Discord application unable to update without internet connection
Subsequently, GitHub Desktop was launched, which is a graphical client interface for interacting with GitHub repositories. It attempted to locate a repository named hackSpringField, but without internet access, the search was unsuccessful, as demonstrated in Figure Fig. 291.
GitHub Desktop failing to find the ‘hackSpringField’ repository
Due to the absence of an internet or local network connection, the content within the GitHub repository could not be retrieved or reviewed, which is an essential aspect to consider for future investigative steps. This scenario is highlighted in Figure Fig. 292.
Unreachable GitHub repository contents due to lack of network connectivity
The investigation then moved to financial applications, with a specific focus on Homebank. An attempt to launch this application was made as indicated by the presence of its icon, and this is captured in Figure Fig. 293.
Upon accessing Homebank, the last opened file named example.xhb was identified, suggesting a possible area of interest for the investigation. The examination of this file is depicted in Figure Fig. 294.
Within the example.xhb file, the existence of a Bitcoin account was noted. Even though the file bore the name ‘example’, it was considered worthy of detailed examination to discern any potential financial improprieties or to trace financial transactions, as shown in Figure Fig. 295.
Evidence of a Bitcoin account in the Homebank file ‘example.xhb’
So far, this analysis underscores the complexity of digital forensics, particularly when dealing with cloud-based services and financial software, where access to the content is often restricted without proper connectivity or credentials.
Upon uncovering Bitcoin-related transaction data within the Homebank application, steps were taken to document this information. The transactions were exported to a PDF file for ease of analysis and future reference, a process captured in Figures Fig. 296 and Fig. 297.
The process of printing transaction data to a PDF file
The forensic examination then proceeded to another financial application, Money Manager Ex. Upon initiation, the application’s dashboard revealed an account with the noteworthy title ‘Springfield ransom’, as displayed in Figure Fig. 298.
Dashboard of Money Manager Ex showing the ‘Springfield ransom’ account
Within this application, two significant transactions were identified: a withdrawal of 222 million by a user named Homer, and a deposit of 100 million to a Mr. Burns. These transactions, detailed in Figure Fig. 299, could suggest a flow of funds that may be pertinent to the investigation.
Transactions in Money Manager Ex involving significant sums of money
To collate the findings, a PDF document was created and stored on an evidence drive, ensuring the preservation of the data uncovered during the investigation. This step is illustrated in Figures Fig. 300 and ref{fig:autopsy_0056}.
Finally, verification was carried out to ensure that the PDF created indeed contained the exported transaction data, as can be affirmed by Figure Fig. 302.
Confirmation of the exported transaction data within the PDF document
Live forensic with ForensicVM - Phase 2: Network enabled
In the continuation of the live forensic analysis using ForensicVM, the investigation progressed to include cloud-based evidence following the activation of the network interface. This crucial step is depicted in Figure Fig. 303.
Enabling the network interface on the ForensicVM webscreen
One of the primary cloud applications scrutinised was GitHub Desktop. This application was of particular interest as it may contain repositories that could provide evidence of illicit activity if the computer in question belonged to a potential hacker. The repository named hackSpringField was cloned as an initial step, a process illustrated in Figure Fig. 304.
Cloning the deleted repository ‘hackSpringField’ using GitHub Desktop
Within the cloned repository, a README file disclosed Bart’s likely malicious intent, containing the message “I will hack Springfield Buhahahahahaha!”, as seen in Figure Fig. 305.
The README file within the ‘hackSpringField’ repository indicating potential malevolent intentions
The exploration of Bart’s GitHub repositories revealed several with names that suggest they could be tools for malicious purposes:
RATreeViewSpringField
StichRATSpringfield
TheFatRatSpringField
awesome-ratSpringField
basicRATSpringField
These repositories were cloned as part of the investigatory process, as documented in Figures Fig. 306, Fig. 307, and Fig. 308.
Cloning of repositories suspected to be associated with malicious activities
Acquiring repository content for further forensic analysis
Documentation of the cloned repositories from the suspected hacker’s GitHub account
Subsequently, the cloned repositories were transferred to a specifically labelled folder ‘Github-Internet On’ within the cloud_applications autopsy tag folder, with the process captured in Figures Fig. 309, Fig. 310, and Fig. 311.
Copying cloned repositories to the designated forensic analysis folder
Organising the collected repositories in the ‘Github-Internet On’ folder for detailed examination
The shared notebook named bart secret plans now has 14 notes, an increase of 11 notes from when the system was examined in offline mode. This surge in content could indicate active use or automated synchronization once the network was enabled. Among these notes, several are titled with ‘Command and Control (C2C)’, each followed by a sequence number, which suggests a structured approach to potentially illicit command sequences. Furthermore, the presence of Evernote Cloud API python guide notes could imply an intention to leverage Evernote as a platform for issuing commands to compromised systems or for managing a network of controlled devices. An illustrative note contains the command sdelete -z c:, which is known to overwrite free space on a drive with zeros, typically a method to prevent data recovery – a concerning find, possibly indicative of attempts to obfuscate or destroy evidence. This detail is depicted in Figure Fig. 311.
Screenshot illustrating the use of ‘sdelete’ command within a note from the ‘bart secret plans’ notebook
In a detailed examination, all notes from the bart secret plans notebook were exported as multiple webpages to be preserved as evidence, as shown in Figures Fig. 312 and Fig. 313.
Exporting the contents of ‘bart secret plans’ to webpages, part 1
Exporting the contents of ‘bart secret plans’ to webpages, part 2
Similarly, the Primeiro bloco de notas (First Notebook) was exported, revealing an additional note not previously visible in offline mode. The findings are presented in Figure Fig. 314.
The export process of the ‘Primeiro bloco de notas’ indicating the presence of an additional note
Upon inspecting the Discord application, which was set to the Portuguese language, we accessed the user bart.simpson’s server. The server’s activity log, accessed via the bart.simpson_springfield login, can be observed in Figure Fig. 315.
Accessing Discord server with bart.simpson_springfield user credentials
Further investigation within the server revealed a channel named ‘Servidor de bart.simpson’ (bart.simpson’s server), which contained an announcement seemingly related to the sale of data on the dark web, as captured in Figure Fig. 317 after opening the server shown in Figure Fig. 316.
The Discord server ‘Servidor de bart.simpson’ accessed for investigation
Announcement on ‘Servidor de bart.simpson’ revealing intentions to sell data on the dark web
Within the Discord channel named cyber-security-bypass, the user ‘bart’ claimed to have ex-filtrated data from the Springfield Nuclear Plant. Evidence of such a breach was showcased in an Excel format, which was presented as a sample of the exfiltrated data. Additionally, ‘bart’ stipulated a ransom demand of 1000 dollars for the recovery of the data, directing the payment to be made to a specified Bitcoin wallet. This incriminating interaction, including the digital ransom note and the proof of the stolen data, is captured in Figure Fig. 318.
Screenshot displaying the ransom demand and sample of exfiltrated data from Springfield Nuclear Plant on Discord
Subsequent to the discovery of the Discord communication, efforts were made to download the chain of custody report utilizing the ForensicVM webscreen interface. This procedure is critical for maintaining the integrity of the digital evidence and ensuring that all investigative actions are properly documented. The process of downloading this report is depicted in Figures Fig. 319 and Fig. 320.
Downloading the chain of custody report via the ForensicVM webscreen interface, part 1
Downloading the chain of custody report via the ForensicVM webscreen interface, part 2
The next phase in the investigative process involves exporting the ForensicVM evidence disk in the virtual machine disk (VMDK) format. This step is necessary to facilitate the importation of the disk into the Autopsy analysis tool for a comprehensive examination. The sequence of actions taken to halt the ForensicVM, followed by the initiation of the ‘Import Evidence Disk’ process, is sequentially illustrated in Figures Fig. 321 through Fig. 324.
Initiating the export of ForensicVM evidence disk from the Autopsy Forensic Client main interface
Stopping the ForensicVM in preparation for exporting the evidence disk
Selection of the ‘Import Evidence Disk’ option in the Autopsy Forensic Client
Finalization of the ForensicVM evidence disk export in VMDK format.
In the final step of the digital forensic analysis, a new data source was added to the Autopsy forensic software. This new data source was the VMDK disk which contained the evidence that had been previously gathered from ForensicVM. This action is paramount for enabling a detailed examination and analysis within the Autopsy environment. The step-by-step process of adding this new evidence source is captured in Figures Fig. 325 through Fig. 330.
Initiating the addition of a new data source in Autopsy.
Selecting the evidence disk for the new data source.
Completion of the new data source addition in Autopsy.
Post-importation of the meticulously crafted evidence disk into Autopsy, the investigation is poised to enter a detailed examination phase. The evidence disk, structured with folders mirroring the tags utilized within Autopsy, allows for an organized and efficient review process. The subsequent investigative steps will leverage the logical structure and tagging system to ensure a comprehensive analysis of the data.
The primary step involves the cataloging and verification of the imported data against the original evidence tags. This ensures that the transfer has been successful and that the integrity of the data has been maintained during the process. The alignment of folders with Autopsy tags streamlines the verification process, allowing investigators to swiftly confirm the presence and accuracy of all tagged items.
Following this, a thorough content analysis within each tagged folder will be undertaken. Since these folders are organized based on the categorization relevant to the investigation, the analysis can be targeted and specific. Investigators will parse through each category, looking for suspicious patterns or incriminating evidence that correlates with the activities under investigation.
Subsequently, cross-referencing the extracted evidence with the case timeline will be imperative. The analysis will involve correlating timestamps of file creation, modification, and deletion with the case events. Such a timeline analysis can often unearth critical insights into the suspect’s behavior and modus operandi.
The investigation will also include a thorough review of any executable files and scripts that were used or potentially created as part of the suspect’s activities. The scripts found in the ‘C2C’ (Command and Control) folders, for example, will be scrutinized to understand the nature of the commands issued, their targets, and the extent of control exerted over compromised systems.
A meticulous examination of communication logs and metadata is also essential. This includes not only traditional system logs but also any extracted communication from applications such as Discord, as indicated by the presence of specific tags and folders. Insights gleaned from these sources can be invaluable in establishing the suspect’s network of contacts and the breadth of the cyber-security breach.
In addition, a deep-dive analysis into the files marked for deletion or those found within the unallocated space of the file system will be conducted. Using file carving techniques, investigators aim to recover and reconstruct such files, as they may hold critical evidence that the suspect attempted to obscure or erase.
Finally, the entire investigation will be supported by a robust documentation process. Each step, discovery, and piece of evidence will be recorded with exacting detail. This ensures that the chain of custody is preserved and that all the investigative actions can withstand the rigorous scrutiny of legal proceedings.
If your machine cannot boot due to the virtio drivers installed during the automatic driver installation in the virtualization phase being unsigned or having an invalid signature for your operating system, the machine may enter a recovery boot loop. To address this issue, follow these steps:
1. Advanced options in the Automatic Repair boot screen:
Press the “Advanced options” button.
Advanced options in the Automatic Repair boot screen
2. Troubleshoot:
Select the “Troubleshoot” option.
This behavior has been observed in older Windows versions, such as Windows 8.1. Mismatches or odd dates in the driver certificate can lead to this issue.
If you encounter issues with the forensicVM, you might need to directly edit its configuration files or control its state (start/stop). Below is a step-by-step guide on how to perform these actions:
In the Autopsy ForensicVM Client Plugin, select DEBUG: Remote ssh to folder.
DEBUG: Remote ssh to folder option in the Autopsy ForensicVM Client Plugin.
Elevate to root permissions. Enter the su command and provide the root password when prompted.
A processor with multiple cores capable of handling 64-bit data chunks simultaneously. It’s essential for ForensicVM to achieve optimal performance, especially during intricate tasks.
An open-source digital forensics platform designed for analyzing, managing, reporting, and conducting digital investigations. It is used for disk forensics, post-mortem analysis, and handling forensic data. The platform also provides a user interface to manage various functionalities, including the ForensicVM. ForensicVM requires compatibility with at least Autopsy version 4.20.
An extension for the Autopsy framework, this plugin facilitates interaction with the ForensicVM environment. Through this interface, forensic investigators can access and manage various functionalities, including snapshot, ISO, and tools management like WebShell and Netdata. It is also tailored for managing and analyzing virtual forensic machines.
Autopsy ForensicVM Client Plugin: A Comprehensive Interface Guide
A detailed guide describing the functionalities and operations of the Autopsy ForensicVM Client Plugin.
A subset of the Autopsy platform focused on tools and functionalities used for conducting investigations, such as analyzing disk images or VM files, and post-mortem analysis.
Extensions or tools within the Autopsy platform designed to enhance its forensic investigation capabilities. These plugins extend the core functionality of the Autopsy platform. The ForensicVM Client Plugin is a notable example.
Markers or labels within the Autopsy platform that aid in organizing and categorizing evidence. They are represented as directories or folders on the evidence disk.
Often referred to as the ‘first snapshot,’ this represents the initial state of a system or piece of evidence, functioning as an untouched reference point.
A drive encryption feature integrated into the Microsoft Windows operating system. In the provided context, the entire encrypted BitLocker drive is showcased being transferred for forensic analysis.
Digital storage media, like an ISO, that contains a boot sector, allowing a computer to start up from it. It provides details about booting from an ISO or CD-ROM for specific forensic tasks.
Refers to the potential issue of a machine not booting when certain drivers, such as virtio drivers, are unsigned or possess an invalid signature for a given operating system.
The chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.
A file that stores settings and parameters that define how a software or system behaves, and contains various parameters for the forensic virtual machine, such as memory size, attached disks, UEFI boot options, and more.
An entity from which digital evidence is extracted. This can refer to a repository, location, specific input, or reference. In the context of Autopsy, it encompasses evidence such as disk images, VM files, or any origin of forensic data. It is used as a connection or reference to gather, analyze, and acquire evidence within the forensic tool.
A specific version of the Debian operating system, also known as Bullseye. Recommended for installing the ForensicVM server and supported by ForensicVM.
A digital copy or replica of a physical disk, also known as a bit-by-bit copy, often used in digital forensics to preserve the state of a drive. In the context of ForensicVM, a forensic image is used as a source for virtualization. As a data source, it represents either a snapshot of a disk or a virtual machine image.
A disk or drive that serves multiple functions. It contains all tags from Autopsy Software and is automatically generated during the conversion of a forensic image to a ForensicVM. The disk contains directories named after Autopsy tags and serves as a container for evidence related to each tag. Additionally, it is the specific storage area where collected forensic evidence is saved and is often labeled as “possible evidence”.
The process of making adjustments to various configuration parameters of a ForensicVM. This is done via a configuration file that is generated when a forensic image is converted into a ForensicVM.
A network security system or component that monitors and controls incoming and outgoing network traffic based on predetermined security policies. Designed to block unauthorized access, it allows only permitted communications to pass.
A user profile with elevated privileges, potentially created for the purpose of a forensic investigation, to ensure unrestricted access to required data.
A digital representation, snapshot, or copy of a storage device or data from a device. It preserves both the structure and content and is used for the purpose of analysis and investigation in digital forensics. Crucial for digital forensic investigations.
A specialized or comprehensive virtual machine environment tailored for forensic investigations. It operates on a hypervisor and is derived from a forensic image. The operating system is detected, and necessary drivers are installed to replicate the functionality of the original system. An initial snapshot is created to preserve the original state. The ForensicVM allows detailed examination within a safe and controlled environment, without risk to other systems or compromising the original data. It often has a network card disabled by default for security reasons and offers tools and functionalities essential for digital forensic investigations. Designed to assist forensic investigators in the virtualization, management, and analysis of forensic images, it’s essential to manage its operations correctly to preserve the integrity of the evidence.
A specialized Autopsy plugin that forms one of the two primary components of the ForensicVM project. It is the main program interface running in Autopsy Software and is designed to assist in the processing, converting, and forensic analysis of virtual machines and forensic images. Tailored for managing and interacting with Forensic Virtual Machines (VM), it facilitates the analysis of VM images.
A component that is part of the ForensicVM toolset and plugin, responsible for initializing and setting up the forensic analysis environment for VM analysis.
The main backbone of the ForensicVM system, developed using Django and Python, it facilitates the functionalities of the ForensicVM.
ForensicVM Server Remote Web Screen/Console Control Interface
A web-based interface designed for remote forensic investigators to collaborate and control the ForensicVM. It lets users interact with the forensicVM directly and provides an interactive console for access to the virtual screen of the remote ForensicVM. It serves as a display of the forensicVM as seen when accessed remotely, especially through web interfaces.
A power-saving mode for computers. In Windows, when the system goes into hibernation, it saves the current state of the system (including open applications and documents) into the hibernation file and shuts down, allowing for a faster start-up later.
A piece of software, firmware, or hardware that creates and manages virtual machines (VMs). Also known as a virtual machine monitor (VMM), it is responsible for the execution of virtualized forensic images, manages resources, and ensures isolation between different instances.
A rapid restart of the forensicVM without fully shutting it down. This is especially useful in scenarios requiring quick troubleshooting, testing, or managing different VM states.
The process of setting up various components, such as Netdata on a system. For ForensicVM Server, Netdata comes pre-installed. It also involves the steps necessary to install and prepare ForensicVM for use.
ISO 9660, also known as ECMA-119, is a file system for optical disc media standardized by the International Organization for Standardization (ISO). It is an optical disc image containing the content from a CD, DVD, or Blu-ray Disc that can be used to reproduce the content of these media. In the context of forensic tools, ISO files are encapsulations of entire file systems used to house specialized forensic tools. (Reference: ISO 9660 on Wikipedia)
The primary user interface within a specific framework, such as Autopsy, from where the forensicVM can be initiated, managed, and controlled. It also offers options to shut down the forensicVM.
A snapshot or the recorded state of the working memory (RAM) of a computer program or system at a specific time. Used in forensic analysis to review the state of the system and includes tools to engage with the active memory data of the forensic virtual machine.
A type of payload in the Metasploit framework that provides an investigator with a command line interface to the targeted system. In the context, its deployment is considered as potential evidence.
An action or option to access and interact with the forensicVM’s main display, either through the Autopsy plugin or web interface. This can be initiated through various means such as a button within the Autopsy ForensicVM Client Plugin that allows users to launch the WebShell in their default browser.
Modular software components that add specific features to an existing computer program. Within the context of ForensicVM and Autopsy, the plugin architecture fosters community involvement and functionality expansion. They enhance or extend functionality and provide forensic investigators with capabilities to bypass protections in locked forensicVM machines. They may also help in functions such as creating new user credentials or resetting existing ones.
An option in operating systems (like Ubuntu 22.10) that allows users to either shut down or log out of their accounts. Proper shutdown is recommended to ensure the integrity of collected evidence.
Quick Emulator. An open-source machine emulator, virtualizer, and hypervisor that performs hardware virtualization. ForensicVM uses QEMU to create a new forensic hypervisor server.
A type of RAID (Redundant Array of Independent Disks) configuration that combines mirroring and striping to protect data. It’s recommended for storing forensic images in ForensicVM.
Random Access Memory. A type of computer memory used for temporary storage and quick access. ForensicVM requires a minimum of 16 GB RAM for efficient operation, although 32 GB or more is recommended for efficient virtualization of forensic images. The Autopsy documentation suggests that the software can use up to 4GB of RAM, not including the additional memory the Solr text indexing server might use.
Network-shared folders in the Windows operating system that do not allow modifications to the shared files. The ForensicVM plugin may create such shares and therefore requires specific permissions.
The act of immediately rebooting the forensicVM, similar to a hard restart. It brings the machine back to its initial or default state without shutting it down completely.
In cybersecurity, it involves using memory dumps to uncover malware behavior, detect hidden processes, analyze injected codes, and assess user credentials.
Small pieces of data stored on a user’s computer during a browsing session, often containing information about user preferences or authentication status.
Shut Down VM on the Web Interface: The method of deactivating the forensicVM directly from the web-based interface.
Shut Down VM on the Web Remote Screen: The method of shutting down the forensicVM when accessed remotely via the web.
Shutdown Button: A user interface control designed to initiate the process to deactivate and shut down the forensicVM. This button is present in the Autopsy Plugin and various other interfaces.
Shutdown Icon: A graphical representation or symbol indicating the control to shut down the forensicVM.
Snapshot Management: The control and management of VM snapshots.
Snapshot Management in ForensicVM: A section or functionality within the ForensicVM or its client interface, where snapshots are created, viewed, and managed.
Tagging Action: The act of marking or labeling a specific item (like a screenshot) for identification, organization, or further analysis.
Tagging in Forensic Context: The process of marking or labeling a piece of evidence or finding with a specific tag or label to easily categorize, search, or identify it later.
A 128-bit number used to uniquely identify some object or entity on the Internet. In this context, it identifies the specific ForensicVM instance that was deleted.
Virtual machine - In computing, a virtual machine (VM) is the virtualization or emulation of a computer system. Virtual machines are based on computer architectures and provide the functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination of the two. Virtual machines differ and are organized by their function, shown here: System virtual machines (also called full virtualization VMs) provide a substitute for a real machine. They provide the functionality needed to execute entire operating systems. A hypervisor uses native execution to share and manage hardware, allowing for multiple environments that are isolated from one another yet exist on the same physical machine. Modern hypervisors use hardware-assisted virtualization, with virtualization-specific hardware features on the host CPUs providing assistance to hypervisors. (Reference: https://en.wikipedia.org/wiki/Virtual_machine)
Web Interface for Managing ForensicVM: A web-based platform from which users can manage and control the forensicVM. It offers different functionalities, including shutting down or stopping the machine.
Web Interface for Controlling ForensicVM: A web-based platform through which users can manage, control, and reset the forensicVM. It is accessible through a browser and might be preferable for remote operations or specific service interfaces.
Web Remote Screen: A specific section of the web interface tailored for remote access. It allows users to remotely control and manage the forensicVM, providing options like shutting down the machine.
Web Remote Screen (Shutdown): A method to shut down the forensicVM when accessed remotely, offering flexibility for those working from distant locations or specific service interfaces.
A web-based interface allowing users to remotely control and manage the forensicVM. It can be accessed after logging in. It provides options to reset the machine, among other functionalities.
Web Screen Interface: A web-based platform through which users can interact with and manage the forensicVM.
Web Screen Interface: An interface within the forensicVM that provides access to various settings including network configurations.
Web Screen Interface: A web-based interface that provides access to various functionalities, including the ability to eject and manage media within the ForensicVM.
A tool based on the shellinabox project adapted into a Django application that facilitates enhanced remote server administration, offering secure root access to the server.
A specific file format used to capture and store network packets for later analysis using tools like Wireshark. It is commonly used to capture and save network traffic data.
