How to setup an Image Forensic lab with Ghiro

This how to will guide you through the setup of an Image Forensics lab, using Ghiro, a free and open source image forensics tool.

Ghiro comes also with a virtual appliance (it is a copy of Ubuntu Linux with all you need already installed, you can run on your host) to help people get a running Ghiro in few steps.

1. Ready for virtualization

You can run Ghiro Appliance in any host (Mac, Windows or Linux),  only a virtualization software is requested. There are many out there, free and commercial, for example Vmware or VirtualBox.

VirtualBox is a free and open source virtualization software, so for the sake of this guide we are going to use it, although you can use any other software to run Ghiro Appliance.

You need to have VirtualBox working, so download and install VirtualBox following the instruction on his website.

2. GET Ghiro Appliance

Download Ghiro Appliance from Ghiro website in OVA format and uncompress it, it is around 600Mb.

You will explode an .OVA file (the appliance), and a readme file with setup instructions.

Screen Shot 2015-08-19 at 01.38.55

3. Import Appliance

Now you can import the .OVA file inside VirtualBox. Open VirtualBox, go in the menu File and click on “Import Appliance…”, a screen like the following will popup:

Screen Shot 2015-08-19 at 01.44.05

Select the .OVA file and than click “Continue”:

Screen Shot 2015-08-19 at 01.45.25

Now a default setting page is proposed, just hit “Import”:

Screen Shot 2015-08-19 at 01.46.42

After clicking “Import” the import process will start and in a couple of minutes it will be ready:

Screen Shot 2015-08-19 at 01.47.14

When the appliance is imported you will see it in virtual machines list (don’t worry if you don’t have alle the machines listed in the screenshots, I am sorry but I have many):

Screen Shot 2015-08-19 at 01.49.26

4. Network Configuration

Most people fail configuring the network, so please pay attention.

Right click on your Ghiro Appliance on the Virtual Box Manager window and click Settings.

Screen Shot 2015-08-19 at 01.51.03

Then choose the Network tab.

Screen Shot 2015-08-19 at 01.51.52


You have to configure how the virtual machine can connect to your network, so now you are asked to select the network interface you are using and the type of link (bridged or host only).

In most cases you need to set “Attached to:” to “Bridged Adapter” and you have to set the “Name” of the network card you are using your for network, for example if you are using your wired interface named “eth0”, select “eth0” on the name drop down menu.

Remember to alway set “Attached to:” to “Bridged Adapter” or “Host-only Adapter”, never use NAT or any other option, it will not work due to how networking is implemented in VirtualBox. For more information about connectivity see the VirtualBox documentation.

Screen Shot 2015-08-19 at 01.51.52

5. Start and Play

Start the Ghiro Appliance selecting it and clicking on “Start”. The boot will start, when the appliance is ready you will see a screen like this one.

Screen Shot 2015-08-19 at 01.54.17The appliance IP address is printed on the screen, as highlighted:appliance_15What you Now just put that address in your browser and the Ghiro interface will appear.

Screen Shot 2015-08-19 at 23.42.56Now login in your browser with the same credentials and you will be ready to play

  • Login: ghiro
  • Password: ghiromanager

Screen Shot 2015-08-19 at 23.44.30

Enjoy! For any question Ghiro developer are available on the forum or mailing list.

How to setup an Image Forensic lab with Ghiro

Ghiro and Image Forensics Forum is opening

Ghiro is an open source project and it is driven by community needs: users feedback has a great value for us.

We always want to provide a comfortable tool for user support: we have IRC chat for real time support and a mailing list for asynchronous question and answer.

Today we are announcing a new support tool: the Ghiro and Image Forensics Forum.

We hope this will be an easy to use way share information, requests and feedback not only about Ghiro but also about any Image Forensics topic.

The forum has several categories, local forums where you can talk in your native language (if a forum for your country is missing, just ask and it will be added), registration with third party account (i.e. google, github), and many other features.



Ghiro and Image Forensics Forum is opening

Continuous Integration Services I Like

The term “continuous integration (CI)” refers to a process that builds, assess and tests code on a frequent basis.

Today continuous integration is a starting point for agile developers and widely used.

Every project I’m working on starts with a setup of continuous integration pipeline. I’m a big fan of agile developing, that’s why I was always searching for tools or services to help me develop my projects better and faster.

Here is a brief summary of services, selected over the years, I use in my projects, all of them are free, provide a badge you can embed in your website and are really easy to use. As example I will show the services I use on Ghiro, an open source image forensics tool. is a service to help you track your code coverage over time, and ensure that all your new code is fully covered.

This is of great help to focus you on writing tests (yep, I will do…)

For example, this is the dashboard you get for Ghiro:

Screen Shot 2015-07-16 at 23.52.44

DRONE.IO is another continuous integration tool, I think it is more customisable than Travis-CI although I use both. is a code quality service, it monitors your codebase for metrics and trends. It runs checks against your code to look for errors, code smells and deviations from stylistic conventions. It finds potential problems before they’re problems, to help you decide what and when to refactor.

It is a good service, although it is not so much configurable (i.e. you can’t mark false positives), it could help to keep a code quality in your projects.

For example, this is the dashboard you get for Ghiro, there are same false positives I can’t mark as accepted:

Screen Shot 2015-07-16 at 23.07.53 monitors the requirements of your project and notify you whenever a dependency is outdated, all Python dependencies are monitored: you are notified if you are using an old library or an insecure one.

I love this service, I found it of great help. Remember: it is mandatory to keep track of insecure dependencies in your project!

For example, this is the dashboard you get for Ghiro:

Screen Shot 2015-07-16 at 22.49.09Travis CI

Travis-CI is the best continuous integration and building services you will get, any description is pointless, and it is free. Kudos to these guys.

For example, this is the build report you get for Ghiro:

Screen Shot 2015-07-16 at 23.57.36


Continuous Integration Services I Like

Cuckoo GSOC: about winners and winners

I hope you already know, this year Cuckoo Sandbox joined the Google Summer of Code program thanks to the Honeynet Project.

We proposed two project ideas: a Linux analyzer project and a Mac OS X analyzer project.

We got a lot of submissions, many talented and skilled students applied with their project proposal. Sadly Google gave only 8 slots for all the Honeynet organisation, so trying to decide which lucky students would eventually be accepted was an hard task.

Difficult decisions unfortunately had to be made to best use the limited number of slots, so only the best student of all Cuckoo project ideas was selected.

The winner was Dmitry Rodionov with the Mac OS X analyzer project. He will work with me and Jurriaan during this summer to extend Cuckoo analysis capabilities to Mac OS X. If you are interested in, you can follow the progress in a public GitHub repository.

At some point several students who applied to the Linux project started to discuss about the project regarding from the GSOC results, asking for our help on some design ideas. That was amazing to me, they are pushed by curiosity. They are winners too.

Cuckoo GSOC: about winners and winners

This OVF package requires unsupported hardware

I was trying to import a virtual image in OVA format inside a Vmware ESXi (or vSphere Hypervisor as it is dubbed today) when I stumbled in this error:

This OVF package requires unsupported hardware.
Details: Line 33: Unsupported hardware family 'virtualbox-2.2'.

As you che see in the following image:


This error is mentioning some kind of unsupported hardware by vSphere hypervisor, what happened?

It usually occur when an OVA appliance exported by VirtualBox is imported in vSphere, the default hardware format used by VirtualBox doesn’t fit the vSphere one, so it is unable to understand how to import the machine.

To fix you should convert the OVA file in an OVF file compatible with vSphere, thus this post could be titled “how to convert and OVA in OVF” too.

First of all download the free converter: Vmware OFT Tool.

Now you can convert the OVA in an OVF with the following command:

ovftool.exe --lax source.ova destination.ovf

This command will create three files: a .MF file, an .OVF file and a .VMDK.

Open the .OVF file in a text editor and change all VirtualBox hardware.

Change this:




Change this:

<rasd:Description>SATA Controller</rasd:Description>


<rasd:Description>SCSI Controller</rasd:Description>

Save and close. Now your edited file screwed the integrity check. To fix it calculate the SHA1 for the .OVF file (for example using sha1sum or fciv.exe), open the .MF file a substitute the present hash with the calculated one.

Now all should work.

This OVF package requires unsupported hardware