Windows Forensics

Disk Acquisition

Our next step in the forensic process is to acquire the disk image of our target virtual machine. Currently, the VM is paused and VirtualBox has locked the disk image, preventing direct interaction. To proceed with acquisition, we need to:

  1. Unpause the virtual machine.
  2. Allow Windows to write any pending changes to the disk.
  3. Perform a clean shutdown of the VM.

Untitled

After shutting down the VM, we can proceed with disk image extraction.

Untitled

In the VirtualBox manager, we can observe three snapshots:

  1. Initial import
  2. Post-attack state
  3. Current state (differences since unpausing and shutdown)

The current state is our target for image creation. We have two options for disk acquisition:

  • VirtualBox manager GUI
  • Command-line tool (similar to our memory acquisition process)

We'll use the command-line method, but let's first explore the GUI option:

To do so, there are two different options.

Navigate to Tools > Media to locate the hard disks associated with the MSEdge VM.

Untitled

Identify the latest disk version, which is typically a "differencing" VDI file.

Untitled

The GUI allows you to clone the disk, choose a name, file type, and allocation method (dynamic or fixed).

Untitled

For our forensic purposes, we'll use the VHD format, which is widely supported by forensic tools.

Untitled

Now, let's move to the command-line method:

Untitled

We'll use the VBoxManage clonemedium command. Key parameters include:

  • Unique identifier of the target disk
  • Output format (VHD in our case)
  • Output filename

Untitled

To identify the correct disk ID, use: VBoxManage list hdds

Untitled

'VBoxManage list hdds'

Untitled

This command displays all disk images, allowing us to identify the latest state of our target VM.

Untitled

Now, we can execute our cloning command:

VBoxManage clonemedium disk [UUID] VHD "Windows 10 disk.vhd"

Untitled

The cloning process will take some time, depending on the amount of data.

Untitled

Once complete, verify the size of the newly created disk image. It should be significantly smaller than the full 40GB capacity. As a critical step in maintaining evidence integrity, we must create a hash of the disk image:

Untitled

Untitled

Use the command:

shasum "Windows 10 disk.vhd" > "win10_disk_hash.txt"

This process may take some time due to the large file size.

Untitled

Command to clone the virtual disk using VirtualBox Manage

VBoxManage clonehd [Unique Identifier of Disk Image] [Output File Name].vhd --format VHD

Command to list all hard disk drives in VirtualBox

VBoxManage list hdds

Command to calculate and output the hash of the disk image

shasum [Disk Image File] > [Output Hash File].txt

After hashing is complete, we can verify the contents of our hash files:

cat *.txt

Replace [Unique Identifier of Disk Image] with the actual identifier of the disk image you are cloning, [Output File Name] with your desired file name for the cloned disk, and [Disk Image File] and [Output Hash File] with the respective file names for the disk image and the hash output file.

This command displays the hashes for both our memory dump and disk image, ensuring we have a verified baseline for our forensic analysis.

With these steps completed, we now have all the necessary evidence securely acquired and hashed, ready for in-depth forensic analysis.

Windows Forensics Navigation

  1. Windows Forensics Overview 

  2. Blueprint 

  3. Forensic Workstation Setup

  4. Data Collection Process Overview

    4.1 Target System Containment

    4.2 Memory Acquisition

    4.3 Disk Acquisition This Page

  5. Forensic Data Examination