Live View

A New View On

Forensic Imaging

Matthiew Morin

Champlain College

Morin 1

Executive Summary

The main purpose of this paper is to provide an analysis of the forensic imaging tool known as

Live View. This analysis will include an introduction to the program, a demonstration and

description of the functionality of the program and finally the benefits of this program and how it

will have a future impact on the digital forensics industry. This paper will also include a brief

overview of past and current forensic imaging techniques and how they compare with the use of

Live View to conduct a forensic analysis of a system.

The concept of virtualization of computer systems has been around for a number of years now,

but it has been quickly gaining popularity throughout various computer-related industries. In

many industries virtualization can help reduce energy costs and save space, however

virtualization is able to support an entirely different role in the forensic field. Running a

computer system in a virtual environment can be extremely beneficial from a forensic

perspective, mainly because the system can be easily isolated from many variables as well as

easily restored to a previous state.

Live View takes the convenience and efficiency of virtualization and takes it one step further by

allowing current forensic imaging tools and practices to interface with a virtual environment,

such as one found in VMware. Live View allows for a raw disk image or a physical disk to be

converted to a virtual image and accessed through VMware just as if the system was actually

running, all without modifying any of the data found on the disk or image.

Morin 2

Acknowledgments

This paper is a product of research and testing scenarios; however, it may also act as an

introduction and guide to the Live View software. For the scope of this paper, the only operating

system that was tested and analyzed was Microsoft Windows XP Service Pack 2; however, Live

View supports versions of Microsoft Windows 98 to Microsoft Windows Server 2008; this also

includes the Microsoft Server operating systems. The Live View version used during the

research for this paper was 0.7b, the most current version at the time of research. The imaging

software used was FTK Imager Version 3.1.0 and the version of VMware used was Version 7.0.

The Microsoft Windows XP machine was configured as a VMware machine in order to keep the

size of the forensic image low to reduce the amount of time needed to create the initial image. In

addition, the machine was imaged in a live environment; however, no changes were documented,

as there was to be no forensic analysis of the machine. The image was only used to verify that

Live View would convert a raw disk image to a virtual machine.

Morin 3

Disk Imaging

Perhaps one of the most important steps in the process of digital forensics is the process of data

mirroring, more commonly known as disk imaging. While all of the steps in the forensic process

need to function together to correctly conduct a forensic investigation, the process of disk

imagining acts as the most pivotal role in the entire process. There are many ways to define disk

imagining; however, a few widely accepted definitions have emerged as the field of digital

forensics has grown. Jim Bates, the Technical Director of Computer Forensics Ltd, defines disk

imaging as; “An image of the whole disk [copied]. This [is] regardless of any software on the

disk and the important point [is] that the complete content of the disk [is] copied including the

location of the data. Disk imaging takes a sector-by-sector copy usually for forensic purposes

and as such it will contain some mechanism…to prove that the copy is exact and has not been

altered. It does not necessarily need the same geometry as the original as long as arrangements

are made to simulate the geometry if it becomes necessary to boot into the acquired image”

(Saudi 3). It is the process of disk imaging that allows a forensic investigator to view the

contents of a storage media or computer without altering the original data in anyway.

The process of disk imaging can be described in three general steps. The first step is to first

acquire the original storage media, this storage media can be any number of pieces of evidence

that are acquired from a secure crime scene. The storage media can be a Compact Disk (CD), a

USB flash drive, an internal hard drive or any other hardware that can be used to store digital

data. The next step in the process is to create an image of the storage media. At this step, the

forensic investigator can approach the imaging process in one of two ways; the investigator can

create a bit-for-bit copy or the investigator can create a bit-stream copy of the original storage

media. The details of these two options will be discussed at a later point in this paper.

Additionally at this stage, the forensic investigator should also choose the proper storage media

that will contain the forensic image. When deciding this, the investigator should take into

account the size of the image file, the time needed to image the file and the duration of the

investigation. The third and final step of the disk imaging process is to verify the image of the

original storage media. In this step the forensic investigator will compare the encrypted hash

values of both the original storage media and the newly created image. In addition, the

Morin 4

investigator will also verify the chain of custody. “The phrase ‘chain of custody’ refers to the

accurate auditing and control of original evidence material that could potentially be used for

legal purposes…there should be accurate logs tracking the movement and possession of evidence

material at all times” (Gast).

As aforementioned, there are two options that the forensic investigator must decide upon when

creating a forensic image. The investigator must decide between the use of a bit-for-bit image of

the original data or a bit-stream image of the original data. It is important to note that while the

ways in which these images are created differ slightly from one another, they are both acceptable

methods as defined by the National Institute of Standards and Technology (NIST). The first

option, a bit-for-bit image, is perhaps the most ideal way to create an image of the storage media.

A bit-for-bit image is an exact clone of the original storage media, the tool used to forensically

image the storage media duplicates each individual bit and creates a file of raw data commonly

known as a dd image. This form of image is commonly used for any time of storage media as

well as for computers that were not found powered off at the crime scene. The second option,

the bit-stream image, requires a different process of imaging. Instead of duplicating the original

storage media bit-for-bit, it duplicates the original storage media cylinder-by-cylinder or sector-

by-sector. While both of these methods provide an exact clone of the storage media, the bit-

stream image, commonly known as a “live image,” is used to image a computer system that is

powered on at the crime scene. This form of imaging becomes extremely useful when the

storage media or system that needs to be imaged cannot be powered off or taken offline.

Morin 5

While there are many ways to simply copy files on computer systems; however, tools used to

create a forensic image of a disk must meet specific requirements that have been adopted by

NIST.

The required features of a forensic imaging tool. (NIST)

These requirements are created to help establish a standard of forensic imaging tools within the

digital forensic field. These requirements aim to ensure that forensic tools on the market are

both technically and legally unflawed. They also ensure that forensic tools that are released are

able to obtain as much data as possible to aid the investigative and analytics of the acquired data.

Morin 6

Concerns and Issues

As the practice of digital forensics continues to grow throughout the industry, many

professionals and individuals are gaining a deeper understanding of how a computer system

operates and how the process of forensic imaging applies to the investigation; however, there are

still issues and concerns about the forensic imaging process. One of the most pressing and

important issues to address in regards to the forensic imaging process is the integrity and validity

of the cloned image. “[The main concern with a] disk imaging tool is whether it produces a copy

that is exactly the same as the original. Users scare that if they use disk imaging tools, it might

alter the layout of the copy…in computer forensics, priority and emphasis are on accuracy and

evidential integrity and security…it is essential to have a forensically sound copy from original

evidence” (Saudi 4). It is possible for much of the digital data collected from a crime scene to be

dangerously volatile, in which the data could easily become corrupt or altered. As such, NIST

and other leading forensic organizations have created strict guidelines for a forensic

investigation, which must be adhered to at all times. Not only do these guidelines ensure that the

evidence stays secure and unaltered but they also ensure that the investigation is legally flawless.

As the field of digital forensics has progressed over the past few years, there have been many

advances in the techniques and tools used to protect the security and integrity of data acquired

from a crime scene. These new tools and practices are constantly being reviewed and revised as

new technologies are developed and current technologies and methods are being adapted to

fulfill the needs of the forensic investigators. One such example of a tool on the forefront of the

digital forensics field is the forensic tool Live View.

Morin 7

Live View

In short, “Live View is a Java-based graphical forensics tool that creates a VMware virtual

machine out of a raw (dd-style) disk image or physical disk, [allowing] the forensic examiner to

‘boot up’ the image” (Live View). The Live View program features a simple and intuitive

interface that accomplishes a vital technical task. The program can be extremely useful to a

forensic investigator as it allows them to run the computer system that is being examined exactly

as it existed when it was imaged. The examiner is able to do all this without ever altering the

forensic image. This unprecedented access is granted by a unique file that Live View generates

when the VMware virtual machine is created from the image.

When the VMware virtual machine is powered on, all of the changes that are made to the virtual

machine are written to a temporary “cover file.” VMware interprets this file as part of the

original image and as a result, no information is changed, written to or deleted from the forensic

image. If the forensic investigator needs to revert back to the original image, they need only to

clear the cover file generated by Live View. Additionally, Live View includes many other

benefits and functionality to a forensic investigator; Live View is not only able to create a virtual

machine from a dd image, such as one created by a bit-for-bit clone but it is also able to create a

virtual machine from a physical disk image, such as one created from a bit-stream clone. In

addition to an array of image options, Live View is also able to complete many technical tasks

dealing with hardware compatibility and boot sectors. “Some of these [tasks] include: resolving

hardware conflicts resulting from booting on hardware other than that on which the OS was

originally installed; created a customized MBR for partition-only images; and correctly

specifying a virtual disk to match the original image or physical disk” (Live View).

Live View features a clean and intuitive interface that provides all of the necessary configuration

options to ensure that the virtual machine is successfully created and the forensic image is in no

way altered.

Morin 8

The Main Live View Window

The main Live View window presents all of the configuration options needed to create a virtual

machine from the forensic image. Live View allows the investigator to manually set the amount

of Random Access Memory (RAM) used on the virtual machine; this option helps mimic the

original system as closely as possible. The system time option allows the examiner to set the

time of the virtual machine to any desired time. This option is particularly important as it can

thwart any attempts of an attack triggered by the system time reaching a certain point; this attack

is commonly known as a “time bomb attack.” Live View is also equipped with an operating

system automatic detection feature; this feature detects the operating system present on the

forensic image and creates the virtual machine based on that detection. Additionally the

investigator can manually select the operating system to install on the virtual machine.

Morin 9

The next feature allows the investigator to select the source of the image; this can be either a raw

dd image or an image on a physical disk. The next option prompts the investigator for the output

location of the VMware virtual machine files, this location can be anywhere on the host system

or the network that it is connected to. The final option allows the investigator to create the

virtual machine files and launch the virtual machine or just create the virtual machine files and

choose to launch it later. The final step is to click the ‘Start’ button.

When the start button is clicked the investigator is prompted with this dialogue box:

Live View Read-Only Setting Dialogue Box

This prompted option provides an additional layer of security in addition to the cover file. In the

unlikely case that the forensic image would be accessed, this option will make writing or

changing the forensic image impossible, although, all changes are written to the cover file above

the virtual machine so it is unlikely that the forensic image would ever be accessed.

Morin 10

After the virtual machine configuration options are properly set, Live View will commence the

creation of the VMware virtual machine. The box entitled “Messages” at the lower part of the

main Live View window displays the current configuration step as well as any errors that

occurred during the creation of the virtual machine.

Live View Message Window

Once Live View has successfully created the virtual machine configuration files, it will

automatically launch the VMware application and power on the created virtual machine

Morin 11

One of the most useful and intriguing features of the Live View program is its ability to easily

revert back to the original state of the forensic image that the virtual machine was created from.

When a forensic investigator configures a virtual machine using Live View, the program

searches the host system for other instances of virtual machines created with that forensic image

and prompts the investigator with the options to continue working with the virtual machine or to

start over.

Previously Launched Image Dialogue Box

The ‘Continue’ option will launch the last instance of a virtual machine created with that image

from the point it was terminated. The ‘Start Over’ option will clear the cover file that the

changes were written to, giving the forensic investigator a new, unaltered instance of the forensic

image.

Morin 12

Comparison

As mentioned earlier in this paper, the tool set used to conduct a digital forensic investigation

using a virtual environment is limited and very specific. There are only a few tools available that

can create a virtual machine out of an acquired forensic image and maintain a precise level of

data integrity. In terms of comparison to the functionality of Live View, there are two tools in

particular that are worth mentioning: Mount Image Pro and Virtual Forensic Computing (VFC),

both developed by Get Data Software Development Company.

Mount Image Pro is not specifically a virtual environment in that it does not create a virtual

machine that can be started and examined; rather, it mounts a forensic image as a readable disk

on the host machine. With an image mounted in such away, the host operating system is able to

interact with it as if it were a secondary disk physically attached to the computer. This technique

provides many advantages for a forensic examiner; for example, the examiner could browse

through the file structure looking for any suspiciously named files and retrieve them from the

image. Additionally, other forensic tools and programs can be run pointed toward the mounted

image; such programs can include virus and malware scanners and file recovery tools.

Similar to Live View, Mount Image Pro is able to mount a full array of file types including

Encase images, DD images as well as virtual machine files such as VMware and Microsoft

Virtual PC. Additional functionality comes from the ability to mount a Redundant Array of

Independent Disks (RAID) configuration, to display unallocated disk space and to show deleted

files present within the forensic image.

Of course, Mount Image Pro is able to provide this functionality while still maintaining the

complete integrity of the data; however, the ability to run tools against and examine the file

structure at a fairly basic level is the upper limit of functionality that the program can provide. In

order to create an environment comparable to Live View the VFC program must work in

conjunction with Mount Image Pro. Additionally, Mount Image Pro is a commercial piece of

software developed and distributed exclusively by Get Data Software Development Company.

As a result of this, it is necessary to pay a fee to obtain a license to use the program; this also

Morin 13

means that the source code of Mount Image Pro is not readily available and cannot be accessed

or modified.

As mentioned above; two programs, Mount Image Pro and VFC, must be used to create an

environment that is comparable to Live View. The second component, VFC, is the software that

interprets the mounted image and creates a virtual machine file from that data. VFC is a quick

and responsive program that can start an image that has been mounted by Mount Image Pro

utilizing VMware. Just as with Live View, the forensic data remains completely unaltered and

allows the examiner to change various settings about the virtual machine to create an optimal

investigation environment. In addition to many features similar to Live View, VFC offers a few

extra features that can greatly increase the efficiency of a forensic investigation. One such

feature is the ability to overwrite the password of a user account on the virtual machine. This

saves a large amount of time as it eliminates the need for the investigator to get the password

from the suspect or spend the time cracking the password with a third-party program. However,

similar to Mount Image Pro, VFC requires a commercial licensed that is purchased through Get

Data and it does not have its source code readily available.

Taking all of these facts into consideration, it is apparent that both Live View and Get Data’s two

programs are reputable platforms from which to conduct a forensic investigation. When

determining what set of software to use, there are a few important points to remember; first, Live

View is an open source program licensed under the GNU Public License. This means that Live

View’s source code can be examined and tweaked by members of the professional community to

provide further enhancements to the program; additionally, Live View is available at no cost to

the user. Second, VFC contains an extra set of features over Live View that may be desirable to

some forensic investigators. Such features can overcome some of the most difficult problems

encountered during a forensic investigation. Finally, Live View is able to run without any

supporting software, with the exception of Java and VMware. VFC requires Mount Image Pro to

even begin examining a forensic image; both of which have to be activated with a commercial

license.

Morin 14

Conclusion

There has been much skepticism and caution taken around the forensic imaging process, as it is

crucial to ensure that no evidence is destroyed or modified in the collection and analysis of the

evidence. As the digital forensics field continues to grow and the demand for digital forensic

investigations increases, forensic investigators are forced to find more efficient and secure ways

of collecting and analyzing the data involved with the investigation. One such tool that is at the

forefront of forensic analysis is the program Live View. This tool allows a forensic investigator

to create a VMware virtual machine from a forensic image and access the image without ever

changing any data in the forensic image, providing the investigator with unprecedented access to

the image.

Morin 15

Definitions

Digital Forensics: A sub-division of forensic science, also known as computer and network

forensics, is considered to be the application of science to the identification, collection,

examination, and analysis of data while preserving the integrity of the information and

maintaining a string chain of custody for the data.

Disk image: A virtual representation of a real disk drive.

Forensic Science: is generally defined as the application of science to the law.

Host Machine: The physical computer hardware and operating system that a virtual machine is

run on.

Master Boot Record (MBR): The data found at the beginning of a storage device that initiates

the startup process of a computer system.

Random Access Memory (RAM): A piece of computer hardware that is responsible for

temporarily storing data that is to be quickly accessed by other hardware components.

Redundant Array of Independent Disks (RAID): A configuration of two or more disks that

stores data across all disks present in the array. This configuration can be used to

perform quicker read and write times as well as to create a redundant set of data.

Storage Media: Any form of electronic device that can contain or store electronic data. Storage

Media is a general term for a large variety of devices which include, but are not limited

to: hard drives, USB storage devices, CD-ROMs, DVD-ROMs, Floppy Disks, etc.

The National Institute of Standards and Technology (NIST): The NIST is a federal

technology agency that works with industry to develop and apply technology,

measurements and standards.

Morin 16

Virtual Machine: A simulated environment created by virtualization.

Virtualization: The simulation of the software and/or hardware upon which other software runs.

This simulated environment is called a virtual machine (VM).

Morin 17

Works Cited

Brown, Christopher L. T. "Imaging Methodologies." Computer Evidence: Collection and

Preservation. 2nd ed. Boston, MA: Charles River Media/Cengage Learning, 2010. 267-

93. Print.

Digital Data Acquisition Tool Specification. Tech. National Institute of Standards and

Technology, 4 Oct. 2004. Web. 10 Dec. 2011. <http://www.cftt.nist.gov/Pub-Draft-1-

DDA-Require.pdf>.

Gast, Ty. "Forensic Data Handling." Forensic Data Handling. Cybertrust, Inc. Web. 10 Dec.

2011. <http://www.bizforum.org/whitepapers/cybertrust-1.htm>.

Kent, Karen, Suzanne Chevalier, Tim Grance, and Hung Dang. "Guide to Integrating Forensic

Techniques into Incident Response." Nist.gov. The National Institute of Standards and

Technology, Aug. 2006. Web. 21 July 2012.

<http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf>.

Mamoun, Sitalakshmi Venkatraman, and Paul Watters. "Effective Digital Forensic Analysis of

the NTFS Disk Image." UbiCC Journal 4.3 (2009). Ubiquitous Computing and

Communication Journal. UbiCC, 2009. Web. 10 Dec. 2011.

<http://www.ubicc.org/files/pdf/3_371.pdf>.

"Mount Image Pro V5 - Forensic Software (Released May 2012)." Computer Forensics

Software: Mount EnCase Images and DD Images. Get Data Software Development

Company, n.d. Web. 26 July 2012. <http://www.mountimage.com/>.

Saudi, Madihah Mohd. An Overview of Disk Imaging Tool in Computer Forensics. Tech. System

Administration, Networking, and Security Institute, 2001. Web. 10 Dec. 2011.

<http://www.sans.org/reading_room/whitepapers/incident/overview-disk-imaging-tool-

computer-forensics_643>.

Morin 18

Scarfone, Karen, Murugiah Souppaya, and Paul Hoffman. "Guide to Security for Full

Virtualization Technologies." Nist.gov. The National Institute of Standards and

Technology, Jan. 2011. Web. 21 July 2012.

<http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf>.

"Virtual Forensic Computing (VFC): Boot Mounted EnCase Images." Virtual Forensic

Computing. Use VFC to Boot EnCase or DD Forensic Evidence Files. Get Data Software

Development Company, n.d. Web. 01 Aug. 2012.

<http://www.virtualforensiccomputing.com/>.