Tool: Live View

The popular security organization CERT released a new forensic analysis tool for Windows: Live View.

As I said in many occasions virtualization is one of the best tool security professionals could ever have.

In particular forensic analysis is greatly helped by the virtualization capability to copy a whole physical server and deploy the image on a virtual machine, without altering its content. A process we use to call physical to virtual (P2V) migration.

So by chance, Live View is great acquisition tool for forensic analysis professionals and at the same time a great P2V tool for all virtualization professionals.

It’s able to work on any image grabbed with the unix tool dd or directly attached disk (if you decided to remove it from the physical machine) and convert it in a virtual disk, to be used with VMware Server, Workstation or Player.

It automatically creates a virtual machine with disconnected ethernet (which is for security reasons but it’s highly useful fto avoid network conflicts also) and a snapshot, to avoid compromising the original image.

As I said Live View needs an existing disk image. So the problem for some virtualization professionals is how to generate it.

Among many available tools I suggest one which satisfy following requirements:

  • works as liveCD (avoiding to install anything on the source machine and possibly working with the large majority of existing hardware)
  • is small and fast (to reduce hardware requirements and boot time)
  • supports a wide amount of disk technologies (IDE, SATA, SCSI), disk controllers (ISA, PCI) and disk configurations (RAID)
  • automatically mounts physical disks on the source machine (to simplify the task and reduce migration time)
  • is able to send the generated image by network (acquiring an IP address by DHCP or with manual configuration)
  • is able to send the generated image on a directly attached USB disk or on a remote FTP server
  • is easy enough to not get lost with complex configuration and command strings

These requirements are all satisfied by the valuable g4u (ghost for unix) project, which is a customized NetBSD liveCD.

Both g4u and Live View are free of charge.