https://stubstech.github.io/categories/tools/Recent content in tools on StubstechHugo -- gohugo.ioen-usThu, 04 May 2023 00:00:00 +0000https://stubstech.github.io/posts/running-.e01-in-virtualbox/Thu, 04 May 2023 00:00:00 +0000https://stubstech.github.io/posts/running-.e01-in-virtualbox/<p>Doing forensically sound investigations running a image live. Excellent to show what the user might have seen.</p> <h2 id="requirements">Requirements <a href="#requirements" class="anchor">🔗</a></h2><p>Install Virtual Box and FTK Imager. Mount the image to Drive. Not sure if you need both Physical &amp; Logical (to be testet).</p> <p>Mount method: Block Device/ Writable Write Cache Folder: Specify where you want it.</p> <p>The mounting will take som time. In the Mapped Image List you will see what drive and partition it is. Choose the right PhysicalDriveX where X is the number. Depending on how many physical drives you have (e.g. If you have mounted external harddrives etc), the number will change.</p> <pre tabindex="0"><code>VBoxManage.exe createmedium disk --filename=&#34;C:\image\image.vmdk&#34; --variant=RawDisk --format=VMDK --property RawDrive=\\.\PhysicalDrive4 </code></pre><p>Create a new Virtual Machine. Choose the correct OS and remember to use UEFI if its a newer Windows OS (e.g. 10 or 11). If it is a seized object, remember to turn off the network adapters.</p> <p>If you forgot the password to the account, make sure to have an USB handy and use a password tool. Enable USB Controll and use USB 2.0.</p> <p>SATA usually works, but you might change the harddrive to a SCSI if it doesn&rsquo;t.</p>