Creating VM's from Forensic Images for Courtroom Presentation

Recorded On: 10/02/2020

   One of the biggest hurdles in computer forensic testimony, is figuring out how best to approach all the technical terms, procedures and evidence that needs to be explained and presented to a “non-technical” courtroom.  One of the best ways to overcome this hurdle is by providing them with a “virtual tour” of the evidence.  By harnessing forensic and VM technology, you can virtually “boot” the suspect’s system by creating a virtual machine from your forensic image file (e.g., .E01, .DD, etc.), and viewing the system just as if you had brought the computer into the courtroom and powered it on.  Judges and jurors can now see the system just as the suspect saw it, in its native Windows environment, and you will be able to present your evidence and findings in a much more efficient and effective way.  Attendees will learn the process of creating and booting a VM of a forensic image, and how they can use this process to locate additional evidence that’s not typically viewable via traditional forensic tools.  Attendees will also learn useful tips and tricks on how to successfully introduce this in a courtroom setting.

Jeff Shackelford

Product Manager and Digital Forensics Specialist

PassMark Software

Jeff Shackelford is a Product Manager and Digital Forensics Specialist for PassMark Software, makers of OSForensics. As a former Digital Forensics Lab Director, Supervisory Special Agent, and Certified Law Enforcement Instructor, Jeff has over 17 years of law enforcement experience and has been an active member, practitioner and speaker in the digital forensics and cyber-crime communities for the past 13+ years. Now with PassMark Software, Jeff utilizes his prior training and 'real-world' experience to oversee the development of PassMark’s premier digital forensics and e-Discovery toolkit, OSForensics.

Key:

Complete
Failed
Available
Locked
Creating VM’s from Forensic Images for Courtroom Presentation
Open to view video.
Open to view video. One of the biggest hurdles in computer forensic testimony, is figuring out how best to approach all the technical terms, procedures and evidence that needs to be explained and presented to a “non-technical” courtroom.  One of the best ways to overcome this hurdle is by providing them with a “virtual tour” of the evidence.  By harnessing forensic and VM technology, you can virtually “boot” the suspect’s system by creating a virtual machine from your forensic image file (e.g., .E01, .DD, etc.), and viewing the system just as if you had brought the computer into the courtroom and powered it on.  Judges and jurors can now see the system just as the suspect saw it, in its native Windows environment, and you will be able to present your evidence and findings in a much more efficient and effective way. Attendees will learn the process of creating and booting a VM of a forensic image, and how they can use this process to locate additional evidence that’s not typically viewable via traditional forensic tools.  Attendees will also learn useful tips and tricks on how to successfully introduce this in a courtroom setting.    
You must register to access.