From 5443a2f83eae68c555f32ca2f9618bb19819a4a3 Mon Sep 17 00:00:00 2001 From: nunomourinho <56609351+nunomourinho@users.noreply.github.com> Date: Mon, 25 Sep 2023 23:53:08 +0100 Subject: [PATCH 1/3] Create README.md --- IngestModules/ForensicVM/README.md | 88 ++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 IngestModules/ForensicVM/README.md diff --git a/IngestModules/ForensicVM/README.md b/IngestModules/ForensicVM/README.md new file mode 100644 index 0000000..a772b63 --- /dev/null +++ b/IngestModules/ForensicVM/README.md @@ -0,0 +1,88 @@ +- __Description:__ The Autopsy ForensicVM client is an innovative tool designed to streamline the process of digital forensics. It leverages advanced virtualization technology to enable secure and efficient analysis of forensic images. The client is specifically developed for cybersecurity professionals, digital forensics investigators, and information security teams. +- __Author:__ Nuno Mourinho +- __Minimum Autopsy version:__ 4.20.0 +- __Module Location__: https://github.com/nunomourinho/AutopsyForensicVM/releases/tag/v1.0.2 +- __Website:__ https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/ +- __Source Code:__ https://github.com/nunomourinho/AutopsyForensicVM +- __License:__ EUPL-1.2 license + + +# Autopsy ForensicVM client +[![Actions Status](https://github.com/nunomourinho/AutopsyForensicVM/workflows/Python%20application/badge.svg)](https://github.com/nunomourinho/AutopsyForensicVM/actions) [![DOI](https://zenodo.org/badge/628277916.svg)](https://zenodo.org/badge/latestdoi/628277916) [![Documentation Status](https://readthedocs.org/projects/forensicvm-autopsy-plugin-user-manual/badge/?version=latest)](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/?badge=latest) + + +Documentation and manuals: [ForensicVM Autopsy Client Documentation](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/) + + + +## Introduction + +The Autopsy ForensicVM client is an innovative tool designed to streamline the process of digital forensics. It leverages advanced virtualization technology to enable secure and efficient analysis of forensic images. The client is specifically developed for cybersecurity professionals, digital forensics investigators, and information security teams. + +## Purpose of ForensicVM + +ForensicVM aims to enhance the forensic analysis process by providing a range of features and capabilities. It offers a secure and scalable environment for analyzing forensic images, making it an invaluable tool in the field of digital forensics. + +## Overview of Features + +ForensicVM provides the following key features to enhance the forensic analysis process: + +1. **Virtualization of Forensic Images:** ForensicVM allows the creation and management of virtualized instances of forensic images. This provides flexibility and scalability in the analysis process, with options for quick selection or full conversion to maximize performance and features. + +2. **Forensic Image Lifecycle Management:** Users can manage the entire lifecycle of forensic images, from creation to decommissioning. This includes converting images into virtual machines, starting, stopping, resetting, snapshotting, and safely deleting them when no longer required. + +3. **Advanced Analysis Tools:** ForensicVM is equipped with a suite of powerful analysis tools to assist investigators in uncovering vital evidence. + +4. **Integrated Hypervisor:** The ForensicVM Server includes a robust hypervisor based on QEMU and KVM, ensuring efficient execution and management of virtual machines. + +5. **Collaboration:** ForensicVM facilitates remote and secure collaboration among forensic investigators. It enables team members to work simultaneously on investigations regardless of their location, fostering productivity and communication. Advanced encryption and security protocols ensure the confidentiality and integrity of collaborative efforts. + +6. **Plugin Architecture:** ForensicVM supports plugins that can be applied to the forensic virtual machine. These plugins enable security bypassing, customization, and the development of custom solutions that interact with ForensicVM. + +7. **Evidence Disk:** An additional disk is automatically created with all tags from Autopsy Software, simplifying the gathering and importing of evidence back to Autopsy. + +8. **Optional Network Card:** The network card, disabled by default, records all network traffic on the server while protecting local networking from potential attacks using pre-installed firewall rules. It also records traffic in Wireshark PCAP format. + +9. **On-the-Fly Memory Dumps:** ForensicVM allows the creation of volatility memory dumps at any moment during the analysis. + +10. **Integrated Screenshots:** The client includes a built-in feature for capturing screenshots, eliminating the need for an additional screenshot program. + +11. **Integrated Video Recording:** ForensicVM enables the recording of individual videos with a maximum duration of three hours, providing additional evidence if required. Please note that audio recording is currently not available. + +12. **Media Management:** The client allows investigators to manage ISO files and use their own tools during the investigation. + +13. **Snapshot Management:** Users can freeze the virtual machine at a specific state and recall previous states for performing "what if" tests. + +> **Warning:** The network card is currently a work-in-progress and may expose your network to potential risks under certain circumstances. While it safeguards your internal system, your external IP may still be visible if a C2C client is installed. Proceed with caution. + +> **Important:** Video recording is currently under development and does not include audio. This limitation is expected to be addressed in future updates. + +## Use Cases + +ForensicVM can be utilized in various scenarios, including but not limited to: + +- Cybersecurity Investigations +- Incident Response +- Training and Education +- Legal Investigations +- Corporate Audits and Investigations + +In each of these scenarios, ForensicVM contributes to the analysis and understanding of digital evidence, aiding in investigations, incident mitigation, training, and maintaining a secure work environment. + +Documentation and manuals: [ForensicVM Autopsy Client Documentation](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/) + + +## 📖 Citation + +Reference to cite if you use AutopsyForensicVM in a paper: +``` +@software{Mourinho_AutopsyForensicVM_2023, +author = {Mourinho, Nuno}, +doi = {10.5281/zenodo.8153316}, +month = {07}, +title = {{Autopsy ForensicVM Client}}, +url = {https://github.com/nunomourinho/AutopsyForensicVM}, +year = {2023} +} + + From fdfc4ed1a81b58e3750d7416e699853055b3f6ab Mon Sep 17 00:00:00 2001 From: Nuno Mourinho <56609351+nunomourinho@users.noreply.github.com> Date: Mon, 25 Sep 2023 23:57:08 +0100 Subject: [PATCH 2/3] Update README.md --- IngestModules/ForensicVM/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/IngestModules/ForensicVM/README.md b/IngestModules/ForensicVM/README.md index a772b63..364d838 100644 --- a/IngestModules/ForensicVM/README.md +++ b/IngestModules/ForensicVM/README.md @@ -1,5 +1,5 @@ - __Description:__ The Autopsy ForensicVM client is an innovative tool designed to streamline the process of digital forensics. It leverages advanced virtualization technology to enable secure and efficient analysis of forensic images. The client is specifically developed for cybersecurity professionals, digital forensics investigators, and information security teams. -- __Author:__ Nuno Mourinho +- __Author:__ Nuno Mourinho (nuno.mourinho+forensicVM@gmail.com) - __Minimum Autopsy version:__ 4.20.0 - __Module Location__: https://github.com/nunomourinho/AutopsyForensicVM/releases/tag/v1.0.2 - __Website:__ https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/ From 4e27e62d86756e74d07da551821aa163a92c02f9 Mon Sep 17 00:00:00 2001 From: Nuno Mourinho <56609351+nunomourinho@users.noreply.github.com> Date: Wed, 6 Mar 2024 15:06:13 +0000 Subject: [PATCH 3/3] Update README.md --- IngestModules/ForensicVM/README.md | 81 ------------------------------ 1 file changed, 81 deletions(-) diff --git a/IngestModules/ForensicVM/README.md b/IngestModules/ForensicVM/README.md index 364d838..cd0f82f 100644 --- a/IngestModules/ForensicVM/README.md +++ b/IngestModules/ForensicVM/README.md @@ -5,84 +5,3 @@ - __Website:__ https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/ - __Source Code:__ https://github.com/nunomourinho/AutopsyForensicVM - __License:__ EUPL-1.2 license - - -# Autopsy ForensicVM client -[![Actions Status](https://github.com/nunomourinho/AutopsyForensicVM/workflows/Python%20application/badge.svg)](https://github.com/nunomourinho/AutopsyForensicVM/actions) [![DOI](https://zenodo.org/badge/628277916.svg)](https://zenodo.org/badge/latestdoi/628277916) [![Documentation Status](https://readthedocs.org/projects/forensicvm-autopsy-plugin-user-manual/badge/?version=latest)](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/?badge=latest) - - -Documentation and manuals: [ForensicVM Autopsy Client Documentation](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/) - - - -## Introduction - -The Autopsy ForensicVM client is an innovative tool designed to streamline the process of digital forensics. It leverages advanced virtualization technology to enable secure and efficient analysis of forensic images. The client is specifically developed for cybersecurity professionals, digital forensics investigators, and information security teams. - -## Purpose of ForensicVM - -ForensicVM aims to enhance the forensic analysis process by providing a range of features and capabilities. It offers a secure and scalable environment for analyzing forensic images, making it an invaluable tool in the field of digital forensics. - -## Overview of Features - -ForensicVM provides the following key features to enhance the forensic analysis process: - -1. **Virtualization of Forensic Images:** ForensicVM allows the creation and management of virtualized instances of forensic images. This provides flexibility and scalability in the analysis process, with options for quick selection or full conversion to maximize performance and features. - -2. **Forensic Image Lifecycle Management:** Users can manage the entire lifecycle of forensic images, from creation to decommissioning. This includes converting images into virtual machines, starting, stopping, resetting, snapshotting, and safely deleting them when no longer required. - -3. **Advanced Analysis Tools:** ForensicVM is equipped with a suite of powerful analysis tools to assist investigators in uncovering vital evidence. - -4. **Integrated Hypervisor:** The ForensicVM Server includes a robust hypervisor based on QEMU and KVM, ensuring efficient execution and management of virtual machines. - -5. **Collaboration:** ForensicVM facilitates remote and secure collaboration among forensic investigators. It enables team members to work simultaneously on investigations regardless of their location, fostering productivity and communication. Advanced encryption and security protocols ensure the confidentiality and integrity of collaborative efforts. - -6. **Plugin Architecture:** ForensicVM supports plugins that can be applied to the forensic virtual machine. These plugins enable security bypassing, customization, and the development of custom solutions that interact with ForensicVM. - -7. **Evidence Disk:** An additional disk is automatically created with all tags from Autopsy Software, simplifying the gathering and importing of evidence back to Autopsy. - -8. **Optional Network Card:** The network card, disabled by default, records all network traffic on the server while protecting local networking from potential attacks using pre-installed firewall rules. It also records traffic in Wireshark PCAP format. - -9. **On-the-Fly Memory Dumps:** ForensicVM allows the creation of volatility memory dumps at any moment during the analysis. - -10. **Integrated Screenshots:** The client includes a built-in feature for capturing screenshots, eliminating the need for an additional screenshot program. - -11. **Integrated Video Recording:** ForensicVM enables the recording of individual videos with a maximum duration of three hours, providing additional evidence if required. Please note that audio recording is currently not available. - -12. **Media Management:** The client allows investigators to manage ISO files and use their own tools during the investigation. - -13. **Snapshot Management:** Users can freeze the virtual machine at a specific state and recall previous states for performing "what if" tests. - -> **Warning:** The network card is currently a work-in-progress and may expose your network to potential risks under certain circumstances. While it safeguards your internal system, your external IP may still be visible if a C2C client is installed. Proceed with caution. - -> **Important:** Video recording is currently under development and does not include audio. This limitation is expected to be addressed in future updates. - -## Use Cases - -ForensicVM can be utilized in various scenarios, including but not limited to: - -- Cybersecurity Investigations -- Incident Response -- Training and Education -- Legal Investigations -- Corporate Audits and Investigations - -In each of these scenarios, ForensicVM contributes to the analysis and understanding of digital evidence, aiding in investigations, incident mitigation, training, and maintaining a secure work environment. - -Documentation and manuals: [ForensicVM Autopsy Client Documentation](https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/) - - -## 📖 Citation - -Reference to cite if you use AutopsyForensicVM in a paper: -``` -@software{Mourinho_AutopsyForensicVM_2023, -author = {Mourinho, Nuno}, -doi = {10.5281/zenodo.8153316}, -month = {07}, -title = {{Autopsy ForensicVM Client}}, -url = {https://github.com/nunomourinho/AutopsyForensicVM}, -year = {2023} -} - -