Has anyone ever used LiveView, validated it, etc . . . . ??
http//liveview.sourceforge.net/
Don't know what you mean by "validated it", but…
http//
Live View does a brilliant job of converting DD image file data for VMWare, but does anyone have an easy method of converting a VMware (vmdk) image to a DD (or EnCase) image, or any methods for creating an image from a VMware guest?
Andy
Yes, I do. Fire up the VMWare guest, pop in a CD containing the ProDiscoverIR Server agent, and acquire the image.
I've not really looked too deeply into ProDiscover so forgive my ignorance, but is the server a free utitliy? I'll go on the site and take a look at it.
Since posting last I've found a small program that mounts a vmware image in Windows (and gives you a drive letter), this then let me image the drive as a normal attached device.
I haven't tried this yet (but I'll try it this week), but would it be possible to;
*Edit the machine settings by adding a physical drive (to hold your image)
*Boot your VM suspect machine with a forensic boot floppy/CD
*Create an image of the VM suspect machine to the added physical drive with whatever tool you have on your floppy/CD (encase, replica, safeback, etc..)
Brett
but does anyone have an easy method of converting a VMware (vmdk) image to a DD (or EnCase) image, or any methods for creating an image from a VMware guest?
Point FTK Imager to the VMDK file and it will open it as if it were a disk image. You can then export an image of it.
Andy,
> Since posting last I've found a small program…
Great. But is the name and location of that program a secret? If so, why?
Regarding the server component of PD…no, it isn't free, it's part of the product. Sorry. It is a very sweet product…I'm working with 4.8a now.
> Since posting last I've found a small program…
I think what Andy is referring to is the vmware disk mount utility, but I could be wrong…;-)
http//
Chague,
Thanks, but I don't think we'll know until Andy lets us know.
Thanks,
H