Can Live View boot up images acquired from 64bit OS evidence?
2015-07-26 16:12
483 查看
Some said Live View could only boot up images acquired from 32bit OS evidence. I have to say that it's not true. Ok, the best way to prove it is let the evidence speak for themselves~
1. Boot up Windows 7 64bit evidence
![](http://images0.cnblogs.com/blog2015/706830/201507/261527155457639.png)
2. Live View boot up Linux 64bit evidence
![](http://images0.cnblogs.com/blog2015/706830/201507/261605353731929.png)
I think the reason why some forensic guys "believe" that Live View could not boot evidence suessfully are as below:
1.They forgot mounting tools(ex: FTK Imager) requires Administrator privileges to run.
2.They forgot Live View requires Administrator privileges to run.
3.Whenever they saw any terrible word(ike "error","warning","failed") in the Live View message boxs, they will shut Live View down immediately without hesitate. Acutally they should be more patient, let Live View to parse and analyze those partitions. When completed they could use VMWare to open the snapshot and see if it works or not. Remember one very important thing : "Don't jump to conclusions too soon"...some forensics should get rid of such kind of bad habit...
It's an Open Source Java-based solution. You guys could take a look at it's website and forums:
http://liveview.sourceforge.net/index.html http://sourceforge.net/p/liveview/discussion/
By the way, VFC is a commercial solution. In my experience, Live View is better than VFC. Of course it's not 100% guarantee to boot up evidence with Live View(or VFC). Still you have chances fail to boot up and see Blue Death screen...
1. Boot up Windows 7 64bit evidence
![](http://images0.cnblogs.com/blog2015/706830/201507/261527155457639.png)
2. Live View boot up Linux 64bit evidence
![](http://images0.cnblogs.com/blog2015/706830/201507/261605353731929.png)
I think the reason why some forensic guys "believe" that Live View could not boot evidence suessfully are as below:
1.They forgot mounting tools(ex: FTK Imager) requires Administrator privileges to run.
2.They forgot Live View requires Administrator privileges to run.
3.Whenever they saw any terrible word(ike "error","warning","failed") in the Live View message boxs, they will shut Live View down immediately without hesitate. Acutally they should be more patient, let Live View to parse and analyze those partitions. When completed they could use VMWare to open the snapshot and see if it works or not. Remember one very important thing : "Don't jump to conclusions too soon"...some forensics should get rid of such kind of bad habit...
It's an Open Source Java-based solution. You guys could take a look at it's website and forums:
http://liveview.sourceforge.net/index.html http://sourceforge.net/p/liveview/discussion/
By the way, VFC is a commercial solution. In my experience, Live View is better than VFC. Of course it's not 100% guarantee to boot up evidence with Live View(or VFC). Still you have chances fail to boot up and see Blue Death screen...
相关文章推荐
- HDOJ_Problem Archive_1005_Number Sequence
- Leetcode(62)(63) Unique Paths I II
- iOS中自定义UIImageView用TargetAction模式实现关灯小游戏
- U盘安装Ubuntu15.04 出现boot failed: please change disks and press a key to continue 错误
- Building an MFC project for a non-Unicode character set is deprecated
- MapReduce的KeyValueTextInputFormat
- HDU5312 Sequence
- [转] Compile、Make和Build的区别
- Rescue zoj1649 优先队列
- UILabel设置多种字体、颜色
- HDU 1047 Integer Inquiry【大数】
- [多校2015.01.1010 容斥+迭代] hdu 5297 Y sequence
- 01-复杂度2. Maximum Subsequence Sum (25)
- iOS Human Interface Guidelines(原创翻译)第三章
- hdu 1941 Justice League 无向完全图
- UVa 11235 FrequentValues(RMQ)
- iOS学习之UIPickerView控件的关联选择
- 使用segue时如何实现login的判断
- iOS UINavigationController与UITabBarController的组合使用
- UINavigationController within a UITabBarController, setting the navig