Using ForensicVM
This section provides a detailed guide on how to use ForensicVM in your forensic analysis.
- Running Autopsy Forensic VM Plugin
- Convert a local Forensic Image to a remote Forensic Virtual Machine
- Start Forensic Virtual Machine
- Open or Explore Forensic Virtual Machine
- Shutdown Forensic Virtual Machine
- Stop Forensic Virtual Machine
- Reset Forensic Virtual Machine
- Screenshot Forensic Virtual Machine
- Making screenshots
- Downloading Screenshots as a ZIP File
- Importing Screenshots to Autopsy Software
- 1) Unzip Your Screenshots with Your Favorite ZIP Program (e.g., 7-Zip)
- 2) Copy Screenshot Path in Explorer
- 3) Add a New Data Source
- 4) Select the Host for Which You Have to Import the Screenshots
- 5) Select Logical Files as the Data Source
- 6) Click the Button “Add” to Add a New Logical Data Source Folder
- 7) Paste the Path of the Screenshots and Press “Select”
- 8) Press “Next”
- 9) Deselect All Plugins. Select the Ingest Plugin “Picture Analyser.” Press “Next”
- 10) Press “Finish”
- 11) Browse into the Imported LogicalFileSet Inside the Data Source. Right-click the Mouse
- 12) Select “Open in External Viewer” or Press CTRL+E
- 13) The Image is Displayed
- Making, Downloading, and Analyzing a Memory Dump
- Making and download a Memory Dump
- Security Analysis
- Forensic Analysis
- Legal Evidence
- 1) Press the “Make and Download Memory Dump” Button
- 2) Save the Memory Dump on the Default ForensicVM Image Case Path
- 3) Monitor Memory Download Progress with Time Estimation
- 4) Success Message Stating that the Memory was Saved as “memory.dump”
- 5) Windows Explorer Open on the Memory Dump Folder
- Importing and Analyzing a Memory Dump in Autopsy
- 1) Copy the Path of the Memory Dump from Windows Explorer
- 2) Press the “Add Data Source” Button on the Autopsy Software
- 3) Select the Host to Where the Memory Dump Should be Made and Press Next
- 4) Select as Data Source Type the “Memory Image File (Volatility)” and Press Next
- 5) Click the “Browse” Button to Select the Path Where the Memory Dump Is
- 6) Paste the “memory.dump” Path, Select the memory.dump File, and Press Open
- 7) Configure Timezone, Memory Profile, and Plugins to Run. Press Next
- 8) Deselect All Plugins and Press Next
- 9) Wait Until the Memory Ingest Module is Finished
- 10) Check for Errors and Press “Finish”
- 11) Locate the Memory Dump on the Interface and Browse the Results
- Aditional Tools to analyse memory dumps
- Making and download a Memory Dump
- Recording Video Evidence from the ForensicVM
- Gather Evidence Using the Evidence Disk
- Deletion of ForensicVM at Investigation Conclusion
- Managing the Network Card to Capture and Analyse Network Traffic in Wireshark
- Media Management - Use Extra Tools and Boot ISO Files
- Snapshots - A Crucial Asset for Investigators
- Plugins - Security Bypass Utilities
- Chain of Custody Management in ForensicVM
- Virtual Introspection
- Fine-Tuning ForensicVM
- WebShell for Remote Administration
- Netdata on ForensicVM Server
- ForensicVM Case Study - Bart the hacker
- Challenge Solution