Using ForensicVM

This section provides a detailed guide on how to use ForensicVM in your forensic analysis.

Navegating the forensicVM main and web interface

• Running Autopsy Forensic VM Plugin
• Convert a local Forensic Image to a remote Forensic Virtual Machine
  • Method 1: Copy the Local Forensic Image to a New Forensic Virtual Machine on the Server
  • Method 2: Link the Local Forensic Image to a New Forensic Virtual Machine on the Server
• Start Forensic Virtual Machine
  • Three ways to start the forensicVM
    • 1) Start ForensicVM in the Main Plugin Interface
    • 2) Start ForensicVM after Logging in to the Web Interface
    • 3) Start ForensicVM on the Web Remote Screen
  • Special Case: Starting the ForensicVM in Link Mode
• Open or Explore Forensic Virtual Machine
  • 1) Open ForensicVM through the Plugin Interface
  • 2) Browse ForensicVM using the Main Web Interface
  • ForensicVM remote screen interface
• Shutdown Forensic Virtual Machine
  • 1) Shut Down ForensicVM in the Main Plugin Interface
  • 2) Shut Down ForensicVM after Logging in to the Web Remote Screen
  • 3) Shut Down ForensicVM on the Web Interface
• Stop Forensic Virtual Machine
  • 1) Stop ForensicVM in the Main Plugin Interface
  • 2) Stop ForensicVM after Logging in to the Web Remote Screen
  • 3) Stop ForensicVM on the Web Interface
• Reset Forensic Virtual Machine
  • Reset ForensicVM in the Main Plugin Interface
  • Reset ForensicVM after Logging in to the Web Remote Screen
  • Reset ForensicVM on the Web Interface
• Screenshot Forensic Virtual Machine
  • Making screenshots
    • 1) Capture Screenshot in the Main Autopsy Plugin Interface
    • 2) Capture Screenshot in the Web Screen Interface
  • Downloading Screenshots as a ZIP File
    • 1) Press the Save Screenshots Button
    • 2) Save As Dialogue with Default Path
    • 3) Download Progress and Success Alert
    • 4) Open Windows Path with Screenshots.zip
  • Importing Screenshots to Autopsy Software
    • 1) Unzip Your Screenshots with Your Favorite ZIP Program (e.g., 7-Zip)
    • 2) Copy Screenshot Path in Explorer
    • 3) Add a New Data Source
    • 4) Select the Host for Which You Have to Import the Screenshots
    • 5) Select Logical Files as the Data Source
    • 6) Click the Button “Add” to Add a New Logical Data Source Folder
    • 7) Paste the Path of the Screenshots and Press “Select”
    • 8) Press “Next”
    • 9) Deselect All Plugins. Select the Ingest Plugin “Picture Analyser.” Press “Next”
    • 10) Press “Finish”
    • 11) Browse into the Imported LogicalFileSet Inside the Data Source. Right-click the Mouse
    • 12) Select “Open in External Viewer” or Press CTRL+E
    • 13) The Image is Displayed
• Making, Downloading, and Analyzing a Memory Dump
  • Making and download a Memory Dump
    • Security Analysis
    • Forensic Analysis
    • Legal Evidence
    • 1) Press the “Make and Download Memory Dump” Button
    • 2) Save the Memory Dump on the Default ForensicVM Image Case Path
    • 3) Monitor Memory Download Progress with Time Estimation
    • 4) Success Message Stating that the Memory was Saved as “memory.dump”
    • 5) Windows Explorer Open on the Memory Dump Folder
  • Importing and Analyzing a Memory Dump in Autopsy
    • 1) Copy the Path of the Memory Dump from Windows Explorer
    • 2) Press the “Add Data Source” Button on the Autopsy Software
    • 3) Select the Host to Where the Memory Dump Should be Made and Press Next
    • 4) Select as Data Source Type the “Memory Image File (Volatility)” and Press Next
    • 5) Click the “Browse” Button to Select the Path Where the Memory Dump Is
    • 6) Paste the “memory.dump” Path, Select the memory.dump File, and Press Open
    • 7) Configure Timezone, Memory Profile, and Plugins to Run. Press Next
    • 8) Deselect All Plugins and Press Next
    • 9) Wait Until the Memory Ingest Module is Finished
    • 10) Check for Errors and Press “Finish”
    • 11) Locate the Memory Dump on the Interface and Browse the Results
  • Aditional Tools to analyse memory dumps
• Recording Video Evidence from the ForensicVM
  • Record a video from the forensicVM
  • Stop the video recording
  • Download video recording
  • Import video recording for analysis in Autopsy Software
• Gather Evidence Using the Evidence Disk
  • Evidence Disk Creation
  • Collecting Evidence: A Step-by-Step Guide
    • Collect Evidence on Windows
    • Collecting Evidence on Linux
  • Import Possible Evidence Disk into Autopsy
  • Update Evidence Disk Tags
  • Recreate Evidence Disk
• Deletion of ForensicVM at Investigation Conclusion
• Managing the Network Card to Capture and Analyse Network Traffic in Wireshark
  • Enable the Network Card
    • Enable network card using the Autopsy ForensicVM Client Plugin Interface
    • Enable Network Using the Web Screen Interface
    • Reseting the Operating System Network Card
  • Collect Network Evidence
  • Disable the Network Card
    • Disable Network Card with the Autopsy ForensicVM Client Plugin Interface
    • Using the Web Screen Interface to Disable the Network Card
  • Download Wireshark pcap Files
  • Analyze network traffic in Wireshark
• Media Management - Use Extra Tools and Boot ISO Files
  • Uploading an ISO to the ForensicVM Server
  • List Remote ISO Files
    • Using the Autopsy ForensicVM Client Plugin
    • Method 1: Using the Web Interface
  • Insert ISO / Web Insert CD-ROM
    • Using the Autopsy ForensicVM Client Plugin
    • Using the Web Interface
  • Run programs and utilities from ISO
  • Bootable Media
    • Method 1: Boot from Virtual CD-ROM Post-OS Bootup (BIOS showcase)
    • Method 2: Boot from Virtual CD-ROM at Boot Time (Showcasing UEFI)
  • Eject ISO / Web Eject CD-ROM
    • Method 1: Eject using the Autopsy ForensicVM Client Plugin Interface
    • Method 2: Eject using the Web Screen Interface
  • Delete ISO Using the Autopsy ForensicVM Client Plugin Interface
• Snapshots - A Crucial Asset for Investigators
  • Why snapshots are so important for a forensic investigation
    • Base Snapshot: The Pristine Beginning
    • Preserving Evidence Integrity
    • Embracing “What-If” Analysis
    • Additional Considerations
  • Create a new snapshot
  • List Remote Snapshots
  • Select and Rollback a Snapshot
  • Delete a Snapshot
  • In Conclusion
• Plugins - Security Bypass Utilities
  • Authentication Bypass Features
  • Additional Security Bypass Features
  • Browsing Available Plugins
  • Executing Plugins
  • Join the Community Plugins Project and Shape ForensicVM’s Future!
    • Access the Project Repository
    • Contributing Code
    • Feature Suggestions and Plugin Requests
• Chain of Custody Management in ForensicVM
  • Transparency and Accountability
  • Legal Compliance
  • Collaboration and Consistency
  • Error Detection
  • Chain of Custody: Document, Save, and Download as DOCX
    • Save a comment
    • Download chain of custody docx
    • Chain of custody document format
• Virtual Introspection
• Fine-Tuning ForensicVM
• WebShell for Remote Administration
• Netdata on ForensicVM Server
  • Introduction
  • Key Points
  • How to Start with Netdata on ForensicVM Server
  • How Netdata Helps with ForensicVM Server
  • Making Netdata Work for You
• ForensicVM Case Study - Bart the hacker
  • Challenge Description
  • Steps to Solve the Challenge
• Challenge Solution
  • Dead box forensics
  • Live forensic with ForensicVM - Phase 1: Network disabled
  • Live forensic with ForensicVM - Phase 2: Network enabled