Windows Forensics
Disk Acquisition
Our next step in the forensic process is to acquire the disk image of our target virtual machine. Currently, the VM is paused and VirtualBox has locked the disk image, preventing direct interaction. To proceed with acquisition, we need to:
- Unpause the virtual machine.
- Allow Windows to write any pending changes to the disk.
- Perform a clean shutdown of the VM.
After shutting down the VM, we can proceed with disk image extraction.
In the VirtualBox manager, we can observe three snapshots:
- Initial import
- Post-attack state
- Current state (differences since unpausing and shutdown)
The current state is our target for image creation. We have two options for disk acquisition:
- VirtualBox manager GUI
- Command-line tool (similar to our memory acquisition process)
We'll use the command-line method, but let's first explore the GUI option:
To do so, there are two different options.
Navigate to Tools > Media to locate the hard disks associated with the MSEdge VM.
Identify the latest disk version, which is typically a "differencing" VDI file.
The GUI allows you to clone the disk, choose a name, file type, and allocation method (dynamic or fixed).
For our forensic purposes, we'll use the VHD format, which is widely supported by forensic tools.
Now, let's move to the command-line method:
We'll use the VBoxManage clonemedium
command. Key parameters include:
- Unique identifier of the target disk
- Output format (VHD in our case)
- Output filename
To identify the correct disk ID, use: VBoxManage list hdds
'VBoxManage list hdds'
This command displays all disk images, allowing us to identify the latest state of our target VM.
Now, we can execute our cloning command:
VBoxManage clonemedium disk [UUID] VHD "Windows 10 disk.vhd"
The cloning process will take some time, depending on the amount of data.
Once complete, verify the size of the newly created disk image. It should be significantly smaller than the full 40GB capacity. As a critical step in maintaining evidence integrity, we must create a hash of the disk image:
Use the command:
shasum "Windows 10 disk.vhd" > "win10_disk_hash.txt"
This process may take some time due to the large file size.
Command to clone the virtual disk using VirtualBox Manage
VBoxManage clonehd [Unique Identifier of Disk Image] [Output File Name].vhd --format VHD
Command to list all hard disk drives in VirtualBox
VBoxManage list hdds
Command to calculate and output the hash of the disk image
shasum [Disk Image File] > [Output Hash File].txt
After hashing is complete, we can verify the contents of our hash files:
cat *.txt
Replace [Unique Identifier of Disk Image]
with the actual identifier of the disk image you are cloning, [Output File Name]
with your desired file name for the cloned disk, and [Disk Image File]
and [Output Hash File]
with the respective file names for the disk image and the hash output file.
This command displays the hashes for both our memory dump and disk image, ensuring we have a verified baseline for our forensic analysis.
With these steps completed, we now have all the necessary evidence securely acquired and hashed, ready for in-depth forensic analysis.
Windows Forensics Navigation
Data Collection Process Overview
4.3 Disk Acquisition This Page