Q I am trying to capture data from the Shadow Volume of a suspects device through an imaged file. I mounted the volume and using the CMD prompt (administrator) ran with the vssadmin command. I am receiving an error message due to the mounted volume (suspects) is not a local volume and vssadmin will not read it. Does anyone know how to mount an imaged file to make it local?
You can do this quite easily using a tool available for free from MS. I covered this in chapter 3 of "Windows Forensic Analysis Toolkit 3/e", but it's also described here
http//
…and here
http//
Ok, I'll review the information you provided and follow-up.
Thanks
Keydet89
If you feel courageous you can also try (although you'll need linux for this)
http//
I recently did a large update and it starts looking promising, but still considered experimental.
BTW additional info
http//
Just for the record, you can most probably use Clonedisk (Freeware/GUI) to convert the RAW image to VHD
http//
or, more simply raw2vhd
http//
http//
Though from what has been posted here
http//
it seems like the "original" didn't end on a sector boundary, which is "strange".
@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?
I mean, the issue you had with IMDISK is probably connected with the nature of IMDISK, a more "low level" driver such as MS own VSS SDK
http//
http//
and possibly
or Total Mounter
http//
http//
should be able to "mount" directly the RAW image in such a way that is accessible…
jaclaz
@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?
In order to mount the image as a volume, in a manner that would allow access to the available VSCs.
In order to mount the image as a volume, in a manner that would allow access to the available VSCs.
I know that, the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.
If you prefer I understood the procedure as "Since I found no driver capable of properly mounting the image as local disk then I converted it to a VHD so that I have been able to use …."
jaclaz
…the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.
I'm not sure I follow. As you say, you can install a driver, or you can make a minor modification to the image file and use what's already installed (ie, Disk Management).
Is there a chance that you can share what the "more suited drivers" are?
Thanks.
In Previewing the responses thus far still does not answer my question (at least I don't believe so). Recap I have an eo1 image and using FTK imger mounted the file giving me a listed drive of M I now open a cmd window opening it in admin mode. Cd to M then type "vssadmin list shadows /for=m" I receive an error "cannot list m shadow list because m is not a local drive".
Imaging is not the problem as I know if I can get to the shadow files as stated above I can image it and load into FTK or encase. The issue is getting the system to recognize the FTK mounted e01 file as a local drive????