virtualbox.org

ALCON,

Recently I did some data recovery for a friend, and I was just looking at if I could have used Virtualbox to aid in that effort. The recovery is done, but it would have been VERY useful, if Virtualbox could have allowed me to attach a USB device to it in "write blocked mode". I would imagine computer forensics types would appreciate this feature as well.

Can virtualbox virtualize a Firewire device as well? I never tried this.

If so, can it be virtualized into a write-blocked mode?


Thanks in advance,

Stuart

Hi everybody, first post here!

I'm very interested in this thread as by now I'm trying to use an Ubuntu 10.04 guest on a OSX SL 10.6.4 host for forensic investigation with The SleuthKit on raw disk images already extracted running a live Linux Helix 3.0 and placed on a 1Tb ext3 partition of a 2Tb external USB drive.
Finding a way to ensure write-block mode would have be very useful on that purpose (a kind of virtualized hardware write blocker) but by now the real problem I'm facing with this setup is the really poor USB speed performaces: at an average reading speed of 4Mbytes/sec any serious data carving activity on large disk images seems simply unfeasible.

Any hint on speedup of USB performance would be more than welcome, even if, searching the forums, this still seems to be a VB primary issue.

regards,
Nessuno.

Hi Nessuno, welcome to the VirtualBox forums. I must however say to you that hijacking someone else's thread is not considered polite: the OP did not ask about USB performance, so it is not for you to invite that discussion here. Why not start your own thread specific to your problem? Remember to choose the correct forum too.

Sorry, I didn't meant to hijack anyone, and in fact I've joined this very thread because the OP said "I would imagine computer forensics types would appreciate this feature as well" and by coincidence just in these days I'm trying to use VBox for forensic investigation: just adding my "vote" for a wite blocking capability feature which, I guess, might be considered at first quite a marginal one, but, yes, there is someone else interested in it in the real word!

Thus stated, the latest lines of my post was not intended to steer the thread in another direction, but only (maybe it was not extremely clear from the context and again I beg everyone's pardon) to say that "by the way", the main issue I'm experiencing against forensic use (where normally one has to deal with transferring and analyzing extremely large chunks of data) is actually USB speed and maybe, now I'm thinking, adding write blocking capability might slow it down furthermore.

About this latter question, I don't think it's worth opening a new thread as on this same subject there are already more than one in different forums as it happens on different hosts and guests OSes. There is also an open ticket ( #2973) which state I monitor regulary.

proper forensic investigation requires hardware write-blockers, and disk cloners.

even the act of plugging a hard drive into a computer does not guarantee that the host os doesn't write to the drive - even the act of reading from the cache or smart data on the drive invalidates forensics.

a usb enclosure and a copy of virtualbox may be ok for data recovery (albeit slow) but you can't call that professional forensics.

for speed purposes you could use esata and mount the drive readonly on the host and use raw access (or iscsi?) in virtualbox.

A discussion about proper forensic investigation is of couse out of the scope of this forum. So for the sake of this thread, let's assume that, for reasons and constraints not worth discussing here, I might be leaded to (or I'd like to try to) use VirtualBox in such a scenario. Well, in this case, beeing able to define USB as readonly by the guest and having the data flowing through it at full speed (expecially this latter!), will definitely make my life easier...

i'm not sure why usb is so slow on guests (usb is slow enough on real hardware!) but i think you'd be better off cutting it out of the equation by either:

1. not mounting it as a usb device in the guest - mount it as a raw disk image from the host, don't use virtualbox's usb stack;

2. ditch the usb enclosure and use esata (or fw800) or mount it internally on your sata/ide controller; and again mount it as a raw disk.

but i don't think you can mount raw disks readonly anyway, which does seem a bit lacking - the manual even says read+write is required.

another idea which would really be pushing the boundaries of credible forensics is to make a copy of the partitions on the disk (e.g. using dd) copy them to the guest and mount them as readonly; that's not going to give you physical access to the disk only the data on the partitions, and relies on the disk still being readable.

Your advices make sense, I see, but the sad truth is that in this case I'm facing (not a real investigation strictu sensu anyway, something like a proof of concept) I have only at hand my MacBook and an external USB drive ext3 formatted where reside some dd images. By the way: a VBox Linux guest is still twice as fast in reading an ext3 USB drive than MacFUSE/fuse-ext2!

[OT] Of course I found another solution which doesn't involve VBox use...