Can Live View boot up images acquired from 64bit OS evidence?

Some said Live View could only boot up images acquired from 32bit OS evidence. I have to say that it‘s not true. Ok, the best way to prove it is let the evidence speak for themselves~

1. Boot up Windows 7 64bit evidence

2. Live View boot up Linux 64bit evidence

I think the reason why some forensic guys "believe" that Live View could not boot evidence suessfully are as below:

1.They forgot mounting tools(ex: FTK Imager) requires Administrator privileges to run.

2.They forgot Live View requires Administrator privileges to run.

3.Whenever they saw any terrible word(ike "error","warning","failed") in the Live View message boxs, they will shut Live View down immediately without hesitate. Acutally they should be more patient, let Live View to parse and analyze those partitions. When completed they could use VMWare to open the snapshot and see if it works or not. Remember one very important thing : "Don‘t jump to conclusions too soon"...some forensics should get rid of such kind of bad habit...

It‘s an Open Source Java-based solution. You guys could take a look at it‘s website and forums:

http://liveview.sourceforge.net/index.html

http://sourceforge.net/p/liveview/discussion/

By the way, VFC is a commercial solution. In my experience, Live View is better than VFC. Of course it‘s not 100% guarantee to boot up evidence with Live View(or VFC). Still you have chances fail to boot up and see Blue Death screen...

时间: 2024-10-08 17:09:13

Can Live View boot up images acquired from 64bit OS evidence?的相关文章

The Boot Process at a Glance x86/x64系统启动过程解析

哥又来干体力活了.人肉翻译一下: The Boot Process at a Glance This section explains the boot process in sufficient detail to understand the system address map and other bus protocol-related matters that are explained later in this article. You need to have a clear u

boot os 互相升级

以前老是听说boot升级os,os升级boot,觉得很高深,自己做了一次发现其实也很简单. boot就是一段启动代码.芯片本身有默认的启动地址,把boot下载到默认的启动地址,开机后就会默认进入boot.boot中有一个跳转指令,就会跳转到os启动系统. boot的代码简介 #define APP_START_ADDR 0x1C010000UL int main()  {     //这里进行系统初始化可以有些需要的配置,如需要串口接收数据 usb 网口等:          //这里实现跳转

Android-装B必备自定义View(1)

转载请标明出处: http://blog.csdn.net/hai_qing_xu_kong/article/details/52186398 本文出自:[顾林海的博客] 前言 已经好长时间没更新博客了,今天给大家带来一个横向滚动的菜单,用的是HorizontalScrollView,但HorizontalScrollView不能在滚动时定位到某个菜单,因此监听了onScrollChanged方法,代码比较简单,大家看代码就行了,主要是封装了一下,方便大家使用,项目github在底部会给出的.废

centos7 常用的命令

主机名相关 查看主机名hostnamectl 或者hostnamectl status [[email protected] ~]# hostnamectl  status    Static hostname: node82          Icon name: computer-server            Chassis: server         Machine ID: 19f1daaf52fa447dbba66317f374819e            Boot ID: 

kvm虚拟化用到的命令

http://www.it165.net/os/html/201309/6183.html 1.virt-install 启动虚机 virt-install \ -n www \ -r 2048 \ -f /var/kvm/images/www.img \ -s 20 \ --vcpus=2 \ --os-type linux \ --os-variant=debianwheezy \ --network bridge=br0 \ --nographics \ --location='http:

Android ANR分析(2)

转自:http://blog.csdn.net/ruingman/article/details/53118202 定义 主线程在特定的时间内没有做完特定的事情 常见的场景 A.input事件超过5S没有处理完成 B.service executing 超时(bind,create,start,unbind等等),前台20s,后台200s C.广播处理超时,前台10S,后台60s D.ContentProvider执行超时,20s 常见的原因 A.耗时操作,如复杂的layout,庞大的for循环

perf工具-linux下性能分析工具

从2.6.31内核开始,linux内核自带了一个性能分析工具perf,能够进行函数级与指令级的热点查找. perf Performance analysis tools for Linux. Performance counters for Linux are a new kernel-based subsystem that provide a framework for all things performance analysis. It covers hardware level (CP

Ceph 整合OpenStack kilo 遇到问题解决

第7章 Ceph 整合OpenStack 遇到问题解决 7.1 一个日志引发的错误追踪 1) Ceph 问题起因 http://bbs.ceph.org.cn/question/161 错误日志   2) 找到 vim nova/virt/libvirt/driver.py 代码处 3090 行 ************************     def _get_guest_disk_config(self, instance, name, disk_mapping, inst_type

Android programming on Mac 之安装Eclipse

1.安装包在此链接下载:    http://developer.android.com/sdk/index.html google GoAgentFQ不好用,更新了host文件也不行,整了半天,还是一怒之下续签了vpn账号.早知如此,何必折腾.~~~~(>_<)~~~~ 更新文件时,Mac的host必须是UTF-8格式的,所以要转换格式. 将要转换文件放入专用文件夹,终端进入该文件目录,命令行: find *.txt -exec sh -c "iconv -f GBK -t UTF