any alternative to ...
 
Notifications
Clear all

any alternative to liveview which is actually maintained?

13 Posts
9 Users
0 Likes
1,797 Views
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Hello
i'm looking for an alternative to liveview that is actually maintained.

I need to virtualize a raw DD image from a forensics acquisition.

I'd use xmount, but unfortunately at the moment i'm stuck with a windows box, and i have to deal with it.

I've also tried to do nasty things like using the FTK image mounter and then adding the "physical drives" to a vmware machine, but that didn't work… p

any advice is apreciated.

thanks

 
Posted : 14/04/2015 5:31 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

GetData's Virtual Forensic Computing ("VFC") enables investigators to

"rapidly boot a forensic image of a suspects computer; or boot a physical write blocked hard drive. A Virtual machine can be created from a forensic image, a write blocked physical disk or a 'DD' raw flat file image.

VFC3

- Added detection of VMware work station 10 and Player 6
- Added support for parsing partitions on GPT formatted disks
- Added support for PWB routines when using a GPT formatted target disk
- Modified progress display for analysis and generate routines
- Fixed minor bug in ViewSectors dialog to prevent read past end of disk
- Added option to go to last sector of disk in ViewSectors dialog
- Added remnant hive removal check when forced dismount of vmdk is necessary
- Bypass any Windows user account password;
- Rewind a machine to 'last week' utilizing restore point forensics.

Source http//www.virtualforensiccomputing.com/

 
Posted : 14/04/2015 9:22 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

If you have the money, then VFC is a good solution. If you don't, the excellent justaskweg.com has a lot of posts on this subject (you might find this one handy).

 
Posted : 14/04/2015 11:57 am
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

i've followed this approach as i have a vmware workstation, but for some odd reasons the VM doesn't boot.
meaning it's not detecting the OS on the disk.

I have to say that this is a particular scenario, where i have 2 images which are part of a software raid1 built from windows server 2003…

i don't know if that might be the reason tho

 
Posted : 14/04/2015 12:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have to say that this is a particular scenario, where i have 2 images which are part of a software raid1 built from windows server 2003…

i don't know if that might be the reason tho

That is surely the issue at hand, I cannot remember any VM that has built-in support for RAID setups, but a RAID 1 (software or hardware) is a "plain" mirror
http//en.wikipedia.org/wiki/Standard_RAID_levels#RAID_1
i.e. each of the original disks should be byte by byte identical to the other (and conversely you need only one image) so I guess WHAT exactly you have in your hands. 😯

jaclaz

 
Posted : 14/04/2015 10:30 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

jaclaz
sorry for the late reply, it was a busy day )

anyway the situation is this
i have dd images of 2 disks which were inside a server
the two disks are a software raid1 (not made with a controller or fakeraid stuff) built stright from inside windows.

On the original hardware the system was booting from them no problem.
So i took the images and added them as virtual disks to vmware, and i was expecting the VM to boot as the real system would do.

unfortunately it didn't work.
anyway, not a big deal anymore, i managed to solve my issue in another way ) putting virtualization aside and isolating the evidences i needed from the dead system and running them back on another machine i created for the purpose.

 
Posted : 16/04/2015 4:01 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

anyway the situation is this
i have dd images of 2 disks which were inside a server
the two disks are a software raid1 (not made with a controller or fakeraid stuff) built stright from inside windows.

And AGAIN, either they were NOT a RAID 1 or their contents were IDENTICAL (and you need just one of them).

Maybe they were mirrored dynamic volumes and not strictly speaking RAID 1? ?

https://technet.microsoft.com/en-us/library/cc738132(v=ws.10).aspx

Mirrored volumes are fault tolerant and use RAID-1, which provides redundancy by creating two identical copies of a volume.

Or *something else*? ?

Check the partition ID in the MBR, if they are dynamic volumes that would be 42 instead of 07 and you would find in the last Mb or so the Dynamic disk LDM database.

jaclaz

 
Posted : 16/04/2015 2:50 pm
(@wechselberger)
Posts: 11
Active Member
 

Do you know OpenLV (Link)?

K.W.

 
Posted : 06/05/2015 7:39 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Hi,
didn't know that… taking a look right now and see if it's worth adding it to the arsenal

THanks very much

mh, looks like a fork of liveview.. let's see

 
Posted : 08/05/2015 12:14 am
(@lasvegascop)
Posts: 98
Trusted Member
 

Hi, we had the same issues so we developed our own free method using readily available free software.
We posted the method on my website here..

http//www.nvdigitalforensics.com/2015/02/convert-forensic-image-to-virtual-machine/

Larry

 
Posted : 15/05/2015 7:36 am
Page 1 / 2
Share: