===================== Installation and Setup ===================== This section will guide you through the steps necessary to install and set up ForensicVM on your system.
The AutopsyVM client plugin is a valuable addition to Autopsy, enhancing its functionality for digital forensics. Follow the steps below to install the plugin.
Download the latest version of the ForensicVM.exe setup file from the [AutopsyForensicVM GitHub Releases](https://github.com/nunomourinho/AutopsyForensicVM/releases) page. Navigate to the "Assets" section and download the setup file.
Run the ForensicVM.exe setup file to begin the installation process. The setup consists of four steps:
- Welcome Screen: Displays an introduction to the installation process.
- Component Installation: Proceed with the default settings. Do not make any changes.
- Plugin Location: Specify the location where the AutopsyVM client plugin will be installed. Typically, this does not require any changes.
- Install: Click the "Install" button to start the installation process.
Follow the on-screen instructions to complete the installation. Once the installation is finished, you can proceed with using the AutopsyVM client plugin in Autopsy.
To verify the successful installation of the AutopsyVM client plugin, open Autopsy and check if the plugin is available and functional.
Here are the screenshots that illustrate the installation process:
Welcome Screen Component Installation Plugin Location Finish ScreenAfter successfully installing ForensicVM one needs to configure the AutopsyVM plugin. The initial configuration is composed of the following steps:
Step 1: In Autopsy: Add a new data source to Autopsy. This new data source is the forensic image that we need to convert to a forensicVM
Add a new data source to Autopsy
- Add datasource
- Specify a new hostname
- Next
Disk Image
- Select the option disk image or VM FIle
- Next
Forensic Image Selection
- Browse for your forensic image, select it
- Click Next
Select Datasource
- Deselect all other plugins
- Select the forensicVM Client plugin
- Click next
Step 5: Open your forensicVM Server web address in the admin. Ex: https://<ip-or-web>:port/admin
Configure inject - Select ForensicVM Client plugin
- Enter user and password
- Click the login button
Add user
- Enter user, password and password confirmation dialogues
- Click SAVE
Add API key to user
- Click the add button on the api keys
- Select the user
- Click the plus sign
Copy user API key
- Select the newly created API key
- Press CTRL + C or copy it using the right mouse button and select copy
Paste the user API key
- Put the mouse on the Forensic API field
- Press CTRL + V or paste it using the right mouse button and select paste
Fill and test forensic VM Server Configuration
- Put the mouse on the Forensic VM server address. Fill in the information with your server address
- Click the Test Server Connection to test if API and server address are correct
Forensic VM server connection test
- If all pieces of information are correct and if the server is online you should see a connected successfully dialog box.
- If there are any problems, you should see a red error dialogue. Please check and correct the field values.
Configure and copy the ssh key to the serverThe way that forensicVM Server access the forensic images is by making a reverse ssh connection to your computer and accessing a local share via the internet. The reverse ssh connection is in need to make a safe Windows share access. You should configure now the forensicVM server SSH address and port number: #. Please fill in the SSH Server Address and port number. #. Press the button to copy the ssh key to the server
Copy ssh key status
- If the configuration is correct you should see a dialog stating that a Public key added to authorized keys
- If not, you should see an error dialogue or a dialogue stating that the ssh public key is already present on the remote server
Test windows share over ssh
- Click the Test Ssh connection button
- If the configuration is correct you should see a dialog stating that the connection was successful
- If not, you should see an error dialogue
Configure windows share over ssh
- Press the Autofill info button to autofill the Windows share information with the Share login and local and the remote path to share. This info is extracted from the forensic image's current path.
Share login and the share password configuration
- The share login and share password is a Windows local user and is password. It does not need to be an Administrator account. It can be a regular user. It also does not need to exist, since it is created if it does not exist when the user presses the create share button.
Create share button
- After filling in the share login and password please press the create share button.
Create a share command window
- After pressing the create share button a command window will open. This will try to create the local user with the defined password.
Testing the forensicVM image Windows share over ssh
- Press Test Windows share button to test if it is possible to connect to the Windows share from the server using a reverse ssh connection. If all is ok you will be presented with a Windows alert stating that the connection was successful
Caution
Ensure to use a secure Windows username and password for your share. Although this share is protected over the internet by your SSH private key, on the Windows network, your username and password could be a potential vulnerability. We recommend a dedicated, strong username and password for your share, which can be reused for multiple forensic image shares if necessary.
Note
Please configure your firewall to allow local access to your Windows shares. You can restrict the Windows share to be accessible only by your own computer. If needed, please seek assistance from your system administrator to perform this task.