3 posts tagged with "Digital Forensics"

After attending a conference for incident response teams, I joined a project aiming to create a forensic framework allowing acquisition and visualization of evidence from various sources: the Exhume toolkit.

The Exhume Toolkit v0.1

In this quest of retrieving data from various base formats, I got involved in the understanding and implementation of a parser for the VMDK format.

The Virtual Machine Disk format has been created by VMware and is used by all kinds of virtual machines from all types of hypervisors. It is also used in exchange formats used to share virtual machines from one hypervisor to another.

Most IT experts, from cybersecurity to system administrators have heard of VMDK files. And I am no exception. But I never really understood what was behind this format. Sure, I did encounter some difficulties to access data from a VMDK file sourced from and ESXi server but I always found tools allowing to convert the file to a better suited format... Including VMDK itself.

At that moment I wondered why converting a VMDK file to another one could help me get access to the data for forensic purposes. And I've found the answer now I did some serious research on the matter.

In digital forensics, tools are only as valuable as the investigator’s ability to understand and explain their output, especially when presenting evidence in court. Beyond simply extracting data, the methodology behind how artifacts are collected and interpreted plays a critical role in admissibility, reliability and credibility.

This blog post series introduces the Thanatology Project, an open-source, cross-platform digital forensics framework currently under development. Built on top of the Exhume ToolKit (a modular set of Rust-based forensic tools), Thanatology combines performance, transparency, and modern design via a Tauri-based desktop interface. Designed for law enforcement and digital forensic professionals, the project emphasizes not only artifact collection and presentation but will also try to provide help for interpretation.

For example, when analyzing EXTFS file systems, Thanatology will try to offers guidance on timestamp meanings and includes complete extraction details suitable for annexing to formal reports.

The blog series will cover:

• An overview of the Thanatology project and its goals.
• A high-level introduction to the Exhume tool suite.
• Deep dives into each Exhume module and its specific forensic use case.
• Updates on the project development.
• Interesting research techniques we found during our journey.

While Thanatology is not intended to replace established tools, it will attempt to offers a modular and modern alternative ideal for cross-verifying findings or integrating into custom workflows. This blogpost series is mainly here to provide the community with updates, technical knowledge and any interesting subjects we found along the way.

As a digital forensic expert, proving the authenticity and reliability of a forensic image in court is essential. Indeed, the integrity of the data needs to be maintained during the imaging process, preventing any accidental or intentional modification of the data. The Expert Witness Compression Format (EWF) provides a way to store metadata about the image, such as the source device, imaging tool, checksums, signatures, and other relevant information about the acquired media. This imaging format main feature is its compression capability thus reducing the size of the resulting image file. Compression allows for faster analysis of the data and reduces storage requirements. This article is meant to vulgarize the structures behind an EWF Segment. The reader will discover the main algorithms to use in order to be able to read and seek inside such image format. Finally, a proof of concept writen in rust will be shared to the reader.