![prodiscover basic image conversion prodiscover basic image conversion](https://samsclass.info/121/proj/ppr5.png)
If you're using ProDiscover, you can use the Tools -> Image Conversion Tools -> VMWare Support for DD Images. To get the dd image to begin with, you can use ProDiscover, Helix, straight dd, or even FTK Imager Lite. Okay, so now, how do we do this? How do we start with just a dd image, and get to a read-only drive letter (ie., F:\, G:\) so that we can point an AV scanner or some other tool at it? Mounting the image as a drive letter lets you dig into aspects of forensic analysis that while accessible via commercial forensic analysis applications, may be somewhat easier to grasp and work with, particularly for new students, or junior members of an IR/CF team or CSIRT. Would that be useful?Īnother use of something like this is for forensic analysis training.
![prodiscover basic image conversion prodiscover basic image conversion](https://media.cheggcdn.com/study/3cb/3cb31020-68c6-4d4f-bfac-8f56cedb3b75/5647-8-4HOP-i2.png)
Or, the tool would collect the audit policy from the system, check the Registry entries for the Event Logs, and then collect statistics from the Event Log files themselves, or automatically parse the Event Log files to. So what if we had a script or a tool that would run through an image, pulling things out for us each time.all automated so that we wouldn't have to remember all of the different places could look, but at the same time, its all documented? Say, the tool would check to see if the Recycle Bin had been disabled, and then move on to parsing the INFO2 file for one user, or all users. Sometimes you may be in a rush or under pressure, and may forget something that you would normally look for. However, even though these packages ship with scripts to do some initial data collection and parsing for us, sometimes, they aren't as complete as they could be, or we'd like them to be, and it takes forever to get scripts updated because the few folks that actually write their own scripts are busy with other things.
PRODISCOVER BASIC IMAGE CONVERSION SOFTWARE
Most often we do this through our forensic analysis software package, such as ProDiscover or EnCase. Also, this is something you may want to do when you may be faced with the " Trojan Defense".Īnother thought/useful option is this - we all have things that we look for everytime we open an acquired image of a Windows system, and there are other things that we look for on a case-by-case basis. This may save you a great deal of time trying to locate hacker tools by hand. For example, during an intrusion case, one thing you may want to do is scan the image with AV software.
PRODISCOVER BASIC IMAGE CONVERSION PRO
I specifically mentioned the use of Mount Image Pro for mounting a dd image as a read-only file structure, which opens up some areas of analysis that many may benefit from using. One of the things I mentioned in my new book was an alternative analysis method for performing computer forensic analysis.