Dealing with File Permissions from a Virtual Machine - Forensic Logical Acquisition

Question

I am currently in the middle of operating an analysis on Autopsy of a virtual machine (VMware) that has been hacked. I have mounted the VM and I am acquiring the evidence from VMware to my physical machine (Windows 10).

I am trying to do a Logical File Acquisition of certain files and folders ;

Windows Event Viewer Logs (Application, System, Security) OpenSSH Logs
Registry Keys
NTUSER.DAT
system32/config/SAM

However, file permissions Windows have installed is making it difficult for me to get hold of any of this. I don’t want to run a full physical as I’m only after certain artefacts.

Any recommendations would be appreciated greatly

user10216038 · Answer 1 · 2020-01-22T00:07:36.640

1

Well first and foremost, you've already screwed up by mounting the VM which will have written to it as a side affect of mounting. Hopefully this is a copy?

Second, acquiring a logical copy is always a mistake if you don't have to due to constraints that prevent a physical copy.

All of your problems go away with a physical acquisition. Even though it's a VM you can still do a physical acquisition and it's dirt simple:

1. Run Autopsy

2. Target the VM .vmdk as the acquisition.

Done!

If you're still determined to do a selected logical acquisition, it's easiest to pull the target files via Linux.

edited Jan 22 '20 at 00:07

answered Jan 22 '20 at 00:01

user10216038

7,552
2
16
19

Yep just a copy as I’m just testing. I’ll try Linux then, as I feel a full physical isn’t necessary – C.Mann Jan 22 '20 at 18:57
I'm told that 7Zip will extract files from a VMDK, but I've not tried that. – user10216038 Jan 22 '20 at 19:47

Dealing with File Permissions from a Virtual Machine - Forensic Logical Acquisition

1 Answers1