Getting Ready for a Shadow Volume Exam

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

 If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle.  Then, connect it to the VM (Disconnect from host).  Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice.  The easiest thing to do is close the host instances of XWF before you work in the SEAT application.  Of course, if you have more than one dongle, you can work simultaneously in both environments.  Note that you can install any USB devices that you wish by using the same procedure.

Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive.  In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.

4 comments

  1. Derek Frawley says:

    Thanks for the vm creation tutorial.
    Do you have anything that will show how to do with E01 file(s) or multiple raw files.( as mentioned in the tutorial) Most of the images i have are E01 and takes too long to re-image.

  2. Scott Koehle says:

    Great Stuff, Jimmy. Thanks for taking the time to put this website together. Very Helpful.

    Scott Koehle, CFCE
    Altoona Police Department
    1106 16th St
    Altoona, PA 16601
    814-932-2588

Leave a Reply

Your email address will not be published. Required fields are marked *