What vm you use it totally up to you, i just thought that you would chose what what you are familiar with. If Vmware came with more benefits for you, feel free to use it. From what I know, qemu is just command line based, it is not exclusive linux.
First, I need to say that I have not personally done any forensics analysis from a qemu converted dd image so take what I am about to say about conversion as a grain of salt. But yes, your converted dd image should "in theory" be a volume, so it should have all the file system stuff for you to carve.
again, as jackel said qemu manager if you are less familiar with qemu
http://wiki.laptop.org/go/Using_QEMU_on_Windows
I'm sure you know this already, but you can't do a complete demo of what you are doing in 3 hours or less. Either you have to shrink your evidence to just carving the ones you need or you have to just show how to do it and tell them the results. File carving and ram analysis are not exactly the fastest or least processor intensive tasks in the world. You can do a tutorial, not problem, just not a full live demo.
Freshman following it may be a bit of a problem for you. For one carving is time and cpu intensive. I am not sure about your school, but at mine and at certain certificate programs, all of the forensics tools are on a windows VM on a university server, so if everyone uses the cpu at 100%, the server may crash. Secondly, I remember you having problems getting a trial to some tools, don't know if you have all of them already, but if you are to reproduce the results with the students, they also need the tools too. You need to decide on asking for trials for all of them or just using what your school already has. Lastly, I took a super brief look at some of the tools that was used for the facebook analysis and I am not sure how many of those tools you currently have access to through your university or personal licensing, but you may have to just use open source alternatives for anything you don't already each (if such a product exists), if you want to avoid the second problem.
Hope this info helps.
↧