The 10 Minute Guide to Forensics and Virtualization (Ubuntu/VBox style)

By Andrew Hoog

While virtualization is a key technology in the infrastructure of many enterprises, it is essential in the operation of a digital forensic organization.  Virtualization can be used in number ways, include:

–        Return analyst workstation to validated state for each investigation

–        Data recovery by attaching dd image of a drive as a secondary drive on a VM and running recovery software

–         Booting a dd image (similar to liveview)

–        Application and system profiling/footprinting essentially to the scientific method

–        Develop virtual appliances for specific functions (i.e. Android forensics appliance)

And these are just a few examples.  I’m sure many of you have additional uses you can share.  This brief article will share with you our experiences in this area.

Selecting a virtualization solution

There are many virtualization solutions available, including both commercial and non-commercial ones.  One of the best known is VMWare which offer a full suite of products ranging for their free VMWare Player to fully redundant enterprise solutions.  Another software giant in the virtualization game is Microsoft which offers desktop (Virtual PC) through enterprise (Hyper-V) solutions (and many in between).  On the Apple platform, there are two primary options are VMWare’ Fusion product and Parallels suite of products.  And on the Linux side, there are a number of options include KVM, Xen and VirtualBox.

After much testing, we ultimately chose VirtualBox by Oracle/Sun.  There were a number of reasons why we chose Virtual Box:

  1. KVM had serious performance issues on our computers…did not identify root cause
  2. Xen was a more significant commitment in time and energy
  3. VirtualBox has a nice GUI, performed great and has both an open source version and a commercial one.  It also provided a “headless” option allowing us to forego monitors.

Some folks could take issue with Virtual Box or at least have their own favorite and that’s fine.  But, we chose VirtualBox, are quite happy and so that’s what the rest of this article covers.  Our forensics workstations run a modified version of Ubuntu 10.04 service.  They have 8GB of RAM and a couple of multi-core processors.

VirtualBox just released an update on June 7, 2010.  The 3.2.4 release is a maintenance release but I like to see projects which are actively maintained and updated.  Additional details are available on the website.

Step by step guide

For a test project we had, we needed a Windows 2008 Server R2 64-bit.  Below are the steps you would follow on a computer running Ubuntu 10.04 Server 64-bit server (the .iso for that platform is ubuntu-10.04-server-amd64.iso):

Create blank VM

VBoxManage createvm –name Win2008SvrR2 –ostype Windows2008_64 –register

Add options, including full h/w visualization support (the online VirtualBox manual at is indispensable)

VBoxManage modifyvm Win2008SvrR2 –memory 4096 –acpi on –boot1 dvd –nic1 bridged –usb on –usbehci on –vrdp on –vrdpport 3390 –clipboard bidirectional –pae on –hwvirtex on –hwvirtexexcl on –vtxvpid on –nestedpaging on –largepages on

Setup bridged network using first Ethernet card (eth0)

VBoxManage modifyvm Win2008SvrR2 –bridgeadapter1 eth0

Add IDE controller (other options exist such as SCSI and SATA…IDE seems be the most used)

VBoxManage storagectl Win2008SvrR2 –name “IDE Controller” –add ide

Create and register hard drive (vdi)

VBoxManage createvdi -filename “/opt/vbox/HardDisks/win2008svrR2.vdi” -size 20000 -register

Attach hdd to VM

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 0 –device 0 –type hdd –medium /opt/vbox/HardDisks/win2008svrR2.vdi

Attach DVD to VM (upload your OS installation .iso to the host machine first)

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/win2008svr.iso

Start VM and install OS (recommend using screen to prevent killed session on detach)

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

Connect to new VM

Now that the new VM is booting up (and running the OS install), you need to connect to it.  To do so, you need an application which support Remote Desktop Protocol (RDP).  In Windows computers, you can run the Remote Desktop Connection/Terminal Services client but going to Start -> Run, type in mstsc and press OK.  In the Computer: section, you could type the IP address of your Ubuntu server.  The Linux and Apple platforms have similar RDP applications and the process is the same.  Complete the install of the operating system and reboot as needed.

Install VBox Additions

To enable shared folder, better video, usb support (if you downloaded/bought the PUEL edition), you need to install VBox Additions.


VBoxManage registerimage dvd ~/VBoxGuestAdditions_3.2.0.iso

VBoxManage storageattach Win2008SvrR2 –storagectl “IDE Controller” –port 1 –device 0 –type dvddrive –medium ~/VBoxGuestAdditions_3.2.0.iso

DVD should now be mapped on the VM.  You can remote into the VM with the direction above or determine what the IP address of the VM itself is, ensure RDP is enabled and remote into the computer directly.  From there, double click the DVD, perform the VBox Additions install and reboot.

Add shared folders

Make sure Windows guest OS is shutdown and type the following in the Ubuntu server:

VBoxManage sharedfolder add Win2008SvrR2 –name “mnt” –hostpath “/mnt” –readonly

VBoxManage sharedfolder add Win2008SvrR2 –name “ahoog” –hostpath “/home/ahoog”

Restart the VM with the following command:

VBoxHeadless -startvm Win2008SvrR2 -p 3390 &

And then connect to the VM directly as described above.  To access the new shared drives, you use UNC.  Essentially, go to Start -> Run, type \\VBoxSvr and press OK.  You will then see a list of shared folders.

Connect USB devices

If you purchased the enterprise version or are simply evaluating for PUEL (Personal Use and Evaluation License) version, you can connect USB devices.  The documentation was not clear but we determined the necessary steps.

Add usbusers group

sudo addgroup usbusers

Add each user

Then, you need to add each local user that might run VirtualBox to the userusers group:

sudo usermod -a -G usbusers ahoog


There is much more to say about forensics and virtualization.  But, alas, cases are piling up and it will have to wait until the next install of this article that will begin to cover how to use your shiny new VBox virtual machine for some of the tasks I outlined at the start of this article.   If you are interested in additional how to articles or information, check out my own blog at or feel free to contact me directly.

Andrew Hoog is a computer scientist, computer/mobile forensic researcher and Chief Investigative Officer at viaForensics. His company assists and trains law enforcement and provides innovative digital forensics solutions to corporations and attorneys. He is currently writing a book about Android Forensics and maintains the Android Forensics Wiki at



New Releases From Syngress

Syngress, by far the best publisher of digital forensics and general security books, has just released a new batch of books that are of great interest to all general forensics investigators and researchers. We have featured three of these books in our regular DFM competition as a prize for any subscriber answering the ‘really difficult’ security question posed by our editorial team. The three books up for grabs are:

  1. Virtualization and Forensics
  2. Digital Triage Forensics
  3. Digital Forensics for Network, Internet and Cloud Computing

All three topics are especially interesting as these books cover the most prevalent of emerging problems for the forensic analyst. File carving, imaging and traditional use of products, such as enCase and FTK are still right at the top of the list when it comes to ‘things the digital forensic analyst does every day’, however, it’s been recognized for a while now that cloud computing is just around the corner, and when computing power and storage moves into the cloud, forensic investigating will be very different. We’ll be relying on software services and auditing services provided by cloud utility vendors, and with the ‘international’ issues that cloud suddenly introduces, such as ‘how do you get a warrant for data that is stored in a data center in India?’ it will certainly be an interesting future.

I would strongly recommend that you read Digital Forensics for Network, Internet and Cloud Computing by Terrence V. Lillard, Clint P. Garrison, Craig A. Schiller and James Steele, as this books really does cover a plethora of issues that we’ll all have to face, maybe sooner than we think.

Also, as a special offer, Syngress has offered the Digital Triage Forensics book at half price for a limited time. The following was posted on Twitter:

“Learn from the experts who coined the term Digital Triage Forensics. Get the book for 1/2 price w/ code 31884.

Again, I’d certainly recommend this book and after reading through it (yes, I get these sent to me for review purposes so I have it on my desk as I type), it looks great. It’s written by the guys who coined the use of the word Triage in this context, so they know what they are talking about, and unlike many real technical books this one really does dig into the investigative techniques that should be used at the crime scene, including quite an interesting analysis of ‘Battlefield Crime Scenes’, where a triage approach is by far the only way to successfully approach the forensics problem.

Tony Campbell