I don't believe that this series of posts will be particularly novel or ground-breaking. I'm also not purporting that this is how everyone should do things. There may be better ways to skin this proverbial cat, and I'd love to hear them!
The idea of using VMs that communicate with each other was introduced to me in FOR-508 by the fine folks at the SANS Institute. I tip my hat to Rob Lee and Company for all of their hard work in developing tools and techniques for the entire DFIR community.
Stove Pipe Philosophy
I'm super-paranoid about the client data stored on my PC, and I have this nagging suspicion that The Cloud is out to get me. Perhaps it won't kill me in my sleep as I imagine. Most likely it will creep silently into my humble abode, traveling through the mysterious ether in my net, and enter through the back of my forensicator machine. From there, it will corrupt my data, kick my dog, erase my pr0n or generally make me have really a bad day.
With that in mind, sometimes my forensicating requires that I tap into The Cloud's vast knowledge. And although it'd be hip and "old school" to have a stove-piped Sneakernet, it's just not practical to keep all my workstations segregated from each other.
Connected, but not connected. What to do? See part Two!
