Episode 413 — First Responder Forensicss, SNES ROM Hackery, Tailing Logs and Unicorns

First Responder Forensics with Helix/Live View. Editing Super Mario World levels with Lunar Magic. Following logs with Bare Tail. Unicorns, and a lot more.
[ MP4 | XviD | WMV ]

Show Notes

Matt forgoes the vicodin for this shoot (Wisdom teeth coming out this week) and blames Darren for the HakHouse – the Internet in our living room.

D props Ghost and EDP

Post_Break has been helping D with airbase-ng and wifizoo in BackTrack3

Matt’s birthday landed on our shoot day. We took advantage of the opportunity and surprised him with, well, you’ll just have to see.

First Responder Forensics with Helix/Live View
If you’re ever in a position where you have to perform forensic imaging duties on a machine, this segment may be useful to you! The overall goal is to be able to load a forensic .dd image into an environment where you can interact at the user level with it, and perform some initial analysis that may help to paint the overall picture of what happened later on.


    • A Helix live CD (any of their versions should work, but I recommend 2.0)
    • Any machine that has an OS which is compatible with VMware
    • Either a removable drive, or enough free space on a network share in order to push the .dd image out to it.
    • Live View

Having VMware Workstation is a plus, but if not, Live View will automatically download and install VMware Server and the DiskMount utility for you, if you so choose.


Helix is a forensic Live CD with loads of tools. We’re focused on just the image acquisition part today. For the most part, the default options are fine, just specify where you are outputting the .dd image to and you’re on your way!

Install Live View and make sure you either let it install the necessary components, or already have VMware installed ahead of time. It tends to not like the absolute newest version of VMware Server, so ideally use the older one that it suggests. Open the .dd image with Live View, and either Start it directly or Generate the config files. Should you encounter problems with Starting it directly, use the generate config files option and then manually open the .vmx/.vmdk file from within VMware itself. Don’t forget to check the settings on the new VM and make sure the operating system is set correctly, the program does not always autodetect it.

In layman’s terms, this takes the forensic image and converts it to a virtual machine format, so you can interact with it as if you were the user. It does not write anything to the .dd image at all, but obviously I suggest using this with a COPY of the original .dd image you make of the suspect machine.

Last week’s trivia was answered correctly by Mike S. who wrote “Dornier Do-X”. We’ve sent him the first volume of Ed Piskor’s WIZZYWIG hacker graphic novel series.

A note on trivia. Please answer trivia questions on the Hak5 forums from now on. We would love to continue doing dual winners but with growing prize costs we cannot. Also, if you’re interested in volunteering to help with trivia code challenges lend a hand in the Dev5 board.

Editing Super Mario World levels with Lunar Magic
It should be noted here that Matt sucks at Mario. Shannon walks us through some of the basics of editing Super Mario World levels with Lunar Magic. The concept it quite simple. Fire up Lunar Magic, open your SMW rom, and play. Save your changed level back to the rom or alternatively save the level out to a MWL file ready (and legal) for distribution. If you’d like to share your Super Mario World levels with us or check out some of the other Hak5’ers levels check out our forum thread on the subject.

Rightfully red Matt shares with us another tip that’ll save you sysadmins some time and sanity. This week Matt features Bare Tail. Not just a Windows equivalent to the Unix command but a full featured log file following, highlighting and prettifying GUI perfect for everything from transaction logs to happy birthday IM conversations with yer mum.

Until next week we welcome your feedback and remind you to Trust your Technolust


  • El Di Pablo

    Darren, you are the mutha friggin’ shiznite! Thanks for the shout out and the link love in the show notes. That is above and beyond anything I could have ever asked for! Your show rocks!

    Happy Thanksgiving!

  • dave

    Am I going nuts of is this just a drive image package?

    If so, would you review acronis, ghost or drive image xml and call it “forensics”?

  • Chris


    You must be a forensics professional. Live View is a simple way to look at an image and interact with it on a user level (basically converting to VMware). It’s not meant to be anything other than a quick look at a copy of a copy. The real forensics is left to professionals using EnCase and other software.

    Yes the title may be a little misleading, but it’s very valid.

  • Cayde

    Hey don’t be hard on yourselves man, The first echoey part was not too bad, and in fact it’s not annoying at all. Keep up the great work.

  • dave

    Actually, after looking into that product a bit more… they do sort of advertise/consider themselves a forensic utility. “Live View is a tool that allows disk images or physical drives to be booted up in a virtual machine and examined in a forensically sound manner.” – They even mention Encase.

    I am not sure I understand what makes this a “forensically sound” VM as opposed to, say, VirtualBox. But the title of your piece was not as odd as it first seemed to me.

  • Chris


    If we stressed “forensically sound” too hard I apologize. It’s basically a copy of a copy that gets some VMware configuration files wrapped around it. The .dd image itself isn’t converted to a vmdk, it’s opened read-only.

    I don’t think I explained that well enough.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>