Displaying 2 results from an estimated 2 matches for "digital_forensics_xml".
2013 Nov 22
0
Re: Auditing a vm image - virt-diff - was: Read MBR and store in a file?
...k on your images, you should convert any of your
disk images to a raw image or Expert Witness Format.
Actually, I don't suppose qemu-img has a FUSE-like wrapper that exposes the
underlying image as a raw file?
DFXML has an entry on the Forensics Wiki:
http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML
As for your external-to-filesystem data question: I think you got the
essential non-file-system data. I can imagine data fragments from
past/shrunken file systems, or hidden-data regions that fall outside what's
recorded in the partition table. My imagination runs dry there, though.
--Alex...
2013 Nov 22
5
Auditing a vm image - virt-diff - was: Read MBR and store in a file?
Thank you all for your suggestions!
Richard W.M. Jones:
> I keep meaning to write a comprehensive "virt-diff" tool. I needed it
> myself just yesterday.
Most interesting. I guess there are two reasons for creating such a
tool: just compare the images (show the diff) and/or check for malicious
additions in the other image.
Did you consider implementing the former or both?
Do