Another option to bootup evidence files
Posted Pieces0310
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Another option to bootup evidence files相关的知识,希望对你有一定的参考价值。
When it comes to booting up evidence files acquired from target disk, you got two options. One is VFC and the other is Live View. Both of them could create snapshots out of images such as EWF(E01). So forensic examiners could conduct a live forensic as if suspect‘s computer/laptop is in front of them.
Some may ask if there is another option to bootup evidence files. And the answer is "yes". I will show you the combination of FTK Imager and Oracle VirtualBox. First we have to mount evidence files with Admin privileges.
Now we know these evidence files mounted as "PhysicalDrive1". So we have to create vmdk out of this physical drive. Look! It also requires Admin Privileges to run this command prompt.
If everything is fine and the result shows that we successfully create vmdk files from PhysicalDrive1.
Next we have to create a Virtual Machine by choosing the existing vmdk files we created as above.
Finally we could bootup suspect‘s computer/laptop and conduct a live forensics.
以上是关于Another option to bootup evidence files的主要内容,如果未能解决你的问题,请参考以下文章
Another option for file sharing(转)
Laravel 4:致命错误:在 autoload.php 中找不到类 'Patchwork\Utf8\Bootup'
idea scala 报 with UTF-8 Please try specifying another one using the -encoding option
[NPM] Pipe data from one npm script to another
How to bypass Win10 logon password?
greenplum master节点日志报错 ERROR: tuple to be updated was already moved to another segment due to concur