Welcome to ForensicVM documentation!

Fig. 1 Forensic VM logo

ForensicVM is a comprehensive project designed to assist forensic investigators in the virtualization of forensic images. By utilizing advanced technologies and tools, ForensicVM simplifies the process of analyzing and examining digital evidence in a virtualized environment.

The project consists of two essential components: the ForensicVM client, which is an Autopsy plugin, and the ForensicVM server. These components work seamlessly together to provide a powerful and efficient forensic virtualization solution.

The ForensicVM server, developed using Django and Python, serves as the backbone of the system. It is recommended to install the server on Debian 11, which in turn should be set up on a dedicated bare metal server. This configuration ensures optimal performance and stability for your forensic investigations.

Please note that installing the ForensicVM server on a hypervisor is not recommended. The ForensicVM server itself acts as the hypervisor, and running it within a nested setup may result in unpredictable behavior and performance issues. To maintain the integrity and reliability of your forensic analysis, it is advised to adhere to the recommended server installation setup.

To get started with ForensicVM, your first step is to install the server. For detailed instructions, please refer to the installation section, where you will find step-by-step guidance on setting up the server environment correctly.

Once the server is up and running, you can explore the various capabilities and features of ForensicVM by diving into the usage section. This section provides comprehensive information on how to make the most out of the project, including tips, best practices, and real-world scenarios.

Additionally, if you require a deeper understanding of the technical aspects and functionalities of ForensicVM, check in the addional tForensicVM server in api section. It offers an in-depth exploration of the project’s application programming interface, empowering advanced users to leverage the full potential of the platform.

I would like to emphasize that ForensicVM is an actively developed project. I’m continuously working on enhancing its capabilities, improving performance, and adding new features. Stay tuned for updates and exciting developments as I strive to deliver the most effective and reliable forensic virtualization solution available.

Thank you for choosing ForensicVM. I am confident that it will greatly streamline your forensic investigations and contribute to the success of your work. The first step is to install the server. Head to installation

Check out the usage section for further information, including how to install the project.

ForensicVM Plugin Manual

• Introduction
  • Purpose of ForensicVM
  • Overview of Features
  • Use Cases
• Citation Guidelines
  • Here’s How You Can Cite Us
• System Requirements
  • Autopsy plugin requirements
    • Computer Requirements
    • Operating System
    • Processor
    • Memory
    • Storage
    • Networking
    • Display
    • Software Dependencies
    • Additional Notes
  • Server requirements
    • Operating System
    • Processor
    • Memory
    • Storage
    • Networking
    • Display
    • Software Dependencies
    • Additional Notes
• Installation and Setup
  • AutopsyVM Client Plugin Installation
    • Introduction
    • Step 1: Download ForensicVM.exe Setup File
    • Step 2: Run the ForensicVM.exe Setup
    • Step 3: Complete the Installation
    • Step 4: Verify the Installation
    • Screenshots
  • Initial Setup
    • Step 1: In Autopsy: Add a new data source to Autopsy. This new data source is the forensic image that we need to convert to a forensicVM
    • Step 2: Select your Disk Image
    • Step 3: Select your forensic image
    • Step 4: Run the ForensicVM client plugin
    • Step 5: Open your forensicVM Server web address in the admin. Ex: https://<ip-or-web>:port/admin
    • Step 6: Add a new user
    • Step 7: Add a new api key to the user
    • Step 8: Copy the user API key
    • Step 9: Paste the user API key
    • Step 10: Fill and test the Forensic VM Server configuration
    • Step 11: Forensic VM Server configuration test success
    • Step 12: Configure Windows Share over Forensic SSH Server Redirection
    • Step 13: Windows Share over Forensic SSH copy ssh key status
    • Step 14: Testing Windows Share over Forensic SSH Server Redirection
    • Step 15: Configure windows share over ssh
    • Step 16: Configure the share login and the share password
    • Step 17: Create Share Button
    • Step 18: Create a share Dialog
    • Step 19: Testing the forensicVM image Windows share over ssh
• Getting Started
  • Installing ForensicVM
  • Navigating the Interface
  • Autopsy ForensicVM Client Plugin: A Comprehensive Interface Guide
    • Main Toolbar Overview (1)
    • Secondary Toolbar Overview (2)
    • Main Panel Overview (3)
    • Notification Area (4)
    • Convert Forensic Image to VM (5)
    • VM Control (6)
    • Screenshot Management (7)
    • Make and Download a Memory Dump (8)
    • Tools (9)
    • Network (10)
  • ForensicVM Webscreen Console
    • Webscreen Console Main Area
    • ForensicVM Webscreen Console Control Toolbar
    • Adjusting Screen Scaling: Local Scaling
  • ForensicVM Server Web Control Interface
• Product Overview
  • ForensicVM Architecture
  • Understanding the Interface
  • Plugin Architecture
• Using ForensicVM
  • Running Autopsy Forensic VM Plugin
  • Convert a local Forensic Image to a remote Forensic Virtual Machine
    • Method 1: Copy the Local Forensic Image to a New Forensic Virtual Machine on the Server
    • Method 2: Link the Local Forensic Image to a New Forensic Virtual Machine on the Server
  • Start Forensic Virtual Machine
    • Three ways to start the forensicVM
    • Special Case: Starting the ForensicVM in Link Mode
  • Open or Explore Forensic Virtual Machine
    • 1) Open ForensicVM through the Plugin Interface
    • 2) Browse ForensicVM using the Main Web Interface
    • ForensicVM remote screen interface
  • Shutdown Forensic Virtual Machine
    • 1) Shut Down ForensicVM in the Main Plugin Interface
    • 2) Shut Down ForensicVM after Logging in to the Web Remote Screen
    • 3) Shut Down ForensicVM on the Web Interface
  • Stop Forensic Virtual Machine
    • 1) Stop ForensicVM in the Main Plugin Interface
    • 2) Stop ForensicVM after Logging in to the Web Remote Screen
    • 3) Stop ForensicVM on the Web Interface
  • Reset Forensic Virtual Machine
    • Reset ForensicVM in the Main Plugin Interface
    • Reset ForensicVM after Logging in to the Web Remote Screen
    • Reset ForensicVM on the Web Interface
  • Screenshot Forensic Virtual Machine
    • Making screenshots
    • Downloading Screenshots as a ZIP File
    • Importing Screenshots to Autopsy Software
  • Making, Downloading, and Analyzing a Memory Dump
    • Making and download a Memory Dump
    • Importing and Analyzing a Memory Dump in Autopsy
    • Aditional Tools to analyse memory dumps
  • Recording Video Evidence from the ForensicVM
    • Record a video from the forensicVM
    • Stop the video recording
    • Download video recording
    • Import video recording for analysis in Autopsy Software
  • Gather Evidence Using the Evidence Disk
    • Evidence Disk Creation
    • Collecting Evidence: A Step-by-Step Guide
    • Import Possible Evidence Disk into Autopsy
    • Update Evidence Disk Tags
    • Recreate Evidence Disk
  • Deletion of ForensicVM at Investigation Conclusion
  • Managing the Network Card to Capture and Analyse Network Traffic in Wireshark
    • Enable the Network Card
    • Collect Network Evidence
    • Disable the Network Card
    • Download Wireshark pcap Files
    • Analyze network traffic in Wireshark
  • Media Management - Use Extra Tools and Boot ISO Files
    • Uploading an ISO to the ForensicVM Server
    • List Remote ISO Files
    • Insert ISO / Web Insert CD-ROM
    • Run programs and utilities from ISO
    • Bootable Media
    • Eject ISO / Web Eject CD-ROM
    • Delete ISO Using the Autopsy ForensicVM Client Plugin Interface
  • Snapshots - A Crucial Asset for Investigators
    • Why snapshots are so important for a forensic investigation
    • Create a new snapshot
    • List Remote Snapshots
    • Select and Rollback a Snapshot
    • Delete a Snapshot
    • In Conclusion
  • Plugins - Security Bypass Utilities
    • Authentication Bypass Features
    • Additional Security Bypass Features
    • Browsing Available Plugins
    • Executing Plugins
    • Join the Community Plugins Project and Shape ForensicVM’s Future!
  • Chain of Custody Management in ForensicVM
    • Transparency and Accountability
    • Legal Compliance
    • Collaboration and Consistency
    • Error Detection
    • Chain of Custody: Document, Save, and Download as DOCX
  • Virtual Introspection
  • Fine-Tuning ForensicVM
  • WebShell for Remote Administration
  • Netdata on ForensicVM Server
    • Introduction
    • Key Points
    • How to Start with Netdata on ForensicVM Server
    • How Netdata Helps with ForensicVM Server
    • Making Netdata Work for You
  • ForensicVM Case Study - Bart the hacker
    • Challenge Description
    • Steps to Solve the Challenge
  • Challenge Solution
    • Dead box forensics
    • Live forensic with ForensicVM - Phase 1: Network disabled
    • Live forensic with ForensicVM - Phase 2: Network enabled
• Troubleshooting Guide
  • Booting without signed drivers
  • DEBUG: Remote ssh to folder
• Glossary
• List of Figures