取证须让证物说话,莫妄以自我心证来给案情下定论.切忌画靶射箭,为找而找. 取证的根基仰赖经验与判断,在IT各领域的经验愈丰富,愈能看出端倪. 取证须善用工具,但不过度依赖工具.工具只能帮你缩小可能范围,但无法告诉你答案,仍需靠人进行分析判断.



A friend of mine Megan told me that she got an error message as below screenshot when trying to open a virtual machine on suspect's laptop.


She tried to take a guess but in vain. What's wrong with this virtual machine anyway???


Obviously it's an encrypted and restricted VM. Let's take a look at the default setting of "Access Control". As you could see that it's not encrypted.


We could set a password for encryption. Guess what?  All files in this VM including the vmdks and vmx are all encrypted. As far as I know that there is no way to decrypt this VM!!!


Furthermore we could restrict the user to modify any settings or set a expire date of this VM. 


Without password you could not open this encrypted VM. Let's take a look at it's vmx and you will know what's going on.


Unfortunately forensic tools may not be able to decrypt those encrypted files. Forensic examiners won't have any idea of what's inside this VM unless they got the password.


posted on 2020-09-08 23:11  Pieces0310  阅读(180)  评论(0编辑  收藏  举报