±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35399
New Yesterday: 0 Visitors: 179

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Mounting an image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 15, 07 18:34

Since I've got some other stuff in the works already, I may have to create a "stuff that didn't make it into the book" label on my blog...  
 
  

BraneRift
Senior Member
 

Re: Mounting an image

Post Posted: Mar 21, 07 17:16

Again, like I said, I haven't testing this all the way through...but I have used LiveView before, and I pointed VDK at a .vmdk file from one of my VMWare sessions and was successful in mounting the K: drive. This was against an XP VMWare session.


Harlan,

If you do test this all the way through and plan to post it on your site, can I assume you will let us know here? I am curious to see the final results.

Everyone,

Also is there a better way to mount an E01 image other than purchasing Image Mount Pro? Would it just be better to convert it to a dd an go that route?  
 
  

balzanto
Senior Member
 

Re: Mounting an image

Post Posted: Mar 22, 07 01:15

EnCase PDE and VFS modules. I don't know the cost of the individual modules.  
 
  

mickpen
Member
 

Re: Mounting an image

Post Posted: Mar 23, 07 07:06

AFAIK Encase PDE and VFS cost considerably more than MIP.

I regularly use MIP to mount and boot images and have recently developed an app called VFC (Virtual Forensic Computing) which has around a 95% success rate in getting past the BSOD. At the moment it is only available to LE and government but should be available to others soon.

VFC does not require any conversion or dd images, it works direct from the mounted E0 (or S0 or dd) image. It doesn't get past activation but there are other methods to employ once it is booted which work 100% of the time.

I have tried to use LiveView but on closer inspection have found that it uses some of my prior research in this area and as such will only work for about 50% of the images it tries to boot.  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 23, 07 19:16

BraneRift,

> If you do test this all the way through and plan to post it on your site, can I
> assume you will let us know here? I am curious to see the final results.

When I finally get a chance to try this out, end-to-end, sure I'll post it on my blog...but I'm not sure I'm going to go around reposting it over and over on other sites.

Of course, everything you need, even a test image, is freely available online.

Harlan  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 10:26

All,

I'm testing out the process end-to-end, and I've run into a small problem. LiveView does a great job of creating .vmdk files for dd images so that they can be opened in VMWare, but VDK balks with an "unknown extent type" error. I've used ProDiscover's ability to create the .vmdk file, and that worked great with VDK.

I'm looking for options for creating .vmdk from dd image files. I'm looking at using qemu-img.exe, but I'd like to see if I can't locate some other freeware options for doing this.

Thanks,

Harlan  
 
  

hogfly
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 11:20

Harlan,
Unfortunately I think you may have the three best tools for the job already. What's the extent look like in the file vdk is balking at?
Maybe looking at the vmdk spec book would help?  
 

Page 3 of 10
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next