ylansi.net

Look at your VMX configuration file:

• scsi0:0.fileName = “zimbra-000001.vmdk“
• uuid.bios = “56 4d 3f 3d 32 80 5b f2-94 31 21 c9 b2 c3 93 b9“
• ethernet0.generatedAddress = “00:0c:29:c3:93:b9“

And then build the command-line:

kvm -drive file=zimbra-000001.vmdk,boot=on \
  -net nic,macaddr=00:0c:29:c3:93:b9 -net tap \
  -uuid 564d3f3d-3280-5bf2-9431-21c9b2c393b9

The UUID is optional, but might be useful for applications using it for validation (i.e. Windows), and the MAC address as well.

Second way could be to convert the disk image:

kvm-img convert -O qcow2 zimbra-000001.vmdk zimbra.qcow

First convert the vmdk to a compatible format. Although kvm/qemu has support for vmware it is limited and does not support multiple file disk images. If you have access to a vmware server or workstation install (or otherwise have vmware-vdiskmanager) then do the following:

vmware-vdiskmanager -r VMWareDisk.vmdk -t 0 VMWareSingleDisk.vmdk

(note it is “-t zero” above, thank you, fun with fonts…)

The resulting image can then be used directly, or converted to a “friendlier” format such as raw disk image or qcow.

qemu-img convert VMWareSingleDisk.vmdk -O qcow2 KVMDiskImage.qcow
qemu-img convert VMWareSingleDisk.vmdk -O raw KVMDiskImage.img

My preference is to use raw disk image files as they can be directly processed with normal forensic tools.

Windows 7 has an easter egg that gives “convenient” access to a long list of Windows tools. Create a folder on the desktop and rename it folder to:  Shortcuts.{ED7BA470-8E54-465E-825C-99712043E01C}

[original at http://tdas.wordpress.com/2008/02/03/speed-up-grep/]

GNU grep is very slow in the UTF-8 locale. It is orders of magnitude faster in the C locale. To check your current locale, type the following at shell prompt: locale

LANG=en_US.utf8
LC_CTYPE="en_US.utf8"
LC_NUMERIC="en_US.utf8"
LC_TIME="en_US.utf8"
LC_COLLATE="en_US.utf8"
LC_MONETARY="en_US.utf8"
LC_MESSAGES="en_US.utf8"
LC_PAPER="en_US.utf8"
LC_NAME="en_US.utf8"
LC_ADDRESS="en_US.utf8"
LC_TELEPHONE="en_US.utf8"
LC_MEASUREMENT="en_US.utf8"
LC_IDENTIFICATION="en_US.utf8"
LC_ALL=

In the above example, my locale is en_US.UTF-8. If you are grep’ing very large files, you can greatly improve the speed by changing the locale to C. In bash, you would type: export LC_ALL=C

Then type locale again, the display should look something like this :

LANG=en_US.utf8
LC_CTYPE="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_COLLATE="C"
LC_MONETARY="C"
LC_MESSAGES="C"
LC_PAPER="C"
LC_NAME="C"
LC_ADDRESS="C"
LC_TELEPHONE="C"
LC_MEASUREMENT="C"
LC_IDENTIFICATION="C"
LC_ALL=C

At some point grep is supposed to address this issue. Until then, use the C locale with grep. If you frequently use grep to search for large text files you should alter the locale in your  .bash_profile.

Live acquisition of RAM contents is a complex and evolving topic. Tools that work on one system may not work on another. This is a list of such tools.

DumpIt

For those who missed the news MoonSols DumpIt had been released as a free version. It supports both 32bits and 64bits memory acquisition, it’s fast and only one executable which makes it really easy to deploy on a USB storage for instance.

More information there :

http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/

TrueCrypt has some deliberate slowdowns in its code for using a password to decrypt a volume which reduce it to approximately 1 password per second per thread. Additionally, it tries every supported hash scheme which further slows it down if the hash scheme is known before hand. OTFBrutus is a standalone brute forcer aimed at users who remember most of their password. It can generate a wordlist and use it against the volume header to rapidly (relative to using TrueCrypt itself) attempt a decrypt.

http://www.tateu.net/software/

Antivirus for forensics needs to be on demand and non-destructive. That is, it should not attempt to “clean” or remove the virus, merely identify it. There are a few options.

F-Prot has a linux client that is a command line scanner and very easy suitable though it does not appear to have good detection.

AVG also has a free linux client, but it appears to be focused on the desktop and did not appear to have a way to on demand scan a file, or to prevent attempts at removal or containment. It relies on a service that, after installation, was not enabled. It may also require a paid license to function, despite being “free.”

Supposedly SuperAntiSpyware works perfectly in Linux using WINE, though I have not tested that yet.

Malwarebytes has pretty good detection rates, but it has not been tested in WINE either.

Another option is to generate file hashes and check those against VirusTotal or similar services. For example, to get the hashes, associate names, remove duplicates and check against Team Cymry’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/):

$ find /mnt/ntfs -type f -exec md5sum ‘{}’ ‘;’ > windows_file_hashes
$ cat windows_file_hashes | awk ‘{print $1}’ > just_hashes
$ sort just_hashes | uniq > sorted_hashes
$ netcat hash.cymru.com 43 < sorted_hashes > scanned_hashes