You might also want to log in to the running system, so unless the Administrator or user password is blank, youre going to need to get the users or the organizations information technology (IT) departments cooperation to obtain the password or guess the password using brute force tools or passwords obtained from forensic examination of the system.Īn alternative to using tools such as Live View is to mount the image as a read-only file system. Ive used the tool successfully several times to boot and log in to acquired images.
Live View supports most versions of Windows and has limited support for Linux. Live View uses an easy-to-understand GUI (as illustrated in Figure 5.15) to walk you through many of the configuration options required to configure an image to be booted in VMware, and it automates the creation of the necessary files.
The Webinar requires the appropriate client software from. Sometimes this can be very useful when youre investigating a case, because it is so difficult to determine the nature of a running system (given the interactions between various configuration settings, installed software, etc.) during a postmortem analysis.
Using tools such as this, you can boot the system to perform additional analysis, such as antivirus and antispyware scanning, or to simply see what the system looked like when it was running. You can also use ProDiscover to create the necessary files required to boot the image in VMware, which is similar to what the VMware P2V (which stands for physical to virtual) Assistant tool allows you to do. ProDiscover also has the ability to create files needed to boot the image in VMware.įigure 5.14 illustrates these new options. So, rather than pulling all the files out of the image, there are some tools that you can use to convert the image into a format suitable for scanning.īeginning with Version 4.85 of ProDiscover, the tool has the ability to convert an image from either the native ProDiscover format or the dd format to an ISO format.