Since beginning my endeavors with computer forensics, I have always wanted the ability to boot up a suspects computer just to see what the user saw when he was using the computer. So many times I have done computer forensic exams in which proprietary software is used. Simply looking at directory structures sometimes just doesn't cut it. Also, how many times did I make case agents go out and buy accounting software in order to run the target's data, not to mention figuring out which files to extract.

The old method of booting the target's machine consisted of cloning the target's drive with Safeback, then installing it into a sterile computer or the suspect's computer. I never liked the former method because of hardware issues and I never liked the latter because I like to touch the target machine as little as possible. All this hassle, not to mention I would still have to image the suspect's computer again in order to do my forensic examination.


Is there a solution? I have found a solution that simplifies and speeds up the process. I am utilizing Linux, VMware for Linux, and SMART. Just what is Linux, VMware for Linux, and SMART? Well, as you all know, Linux is an operating system. What few people realize is just how powerful this operating system is when it comes to computer forensic work. VMware for Linux is a software package that enables you to create a virtual computer within your Linux operating system. SMART is a graphical computer forensic tool written for the Linux operating system. Why SMART? You will see later in this paper when I discuss the imaging capabilities of SMART. These capabilities make it probably the best imaging tool I've seen to date, not to mention the computer forensic tools built in to SMART. I will present a step-by-step procedure on how to create a virtual computer out of your suspect's machine and image your suspect's machine at the same time for forensic analysis. It's a system I call SMART Forensics.

Download the paper in PDF format here.