Booting up evidence...
 
Notifications
Clear all

Booting up evidence in Virtualbox

10 Posts
4 Users
0 Likes
2,235 Views
(@imsdal)
Posts: 17
Active Member
Topic starter
 

Greetings,

Using the instructions in this link www.securityisfun.net/...using.html I have been successful in the past. However the last couple of times I have followed the instructions and receive "No bootable disk found, system halted"

I have tried to change the bootorder etc, all to no avail.

Has anyone run into this problem?

EDIT I posted this is in hardware forum as well by mistake. Any admin may go ahead and remove the duplicate in that forum space. Thank you and sorry.

 
Posted : 12/04/2018 7:26 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

EDIT I posted this is in hardware forum as well by mistake. Any admin may go ahead and remove the duplicate in that forum space. Thank you and sorry.

No problem, all sorted -)

 
Posted : 12/04/2018 7:57 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Imsdal,
for some reasons the link you posted doesn't work (most probably it has been copied/pasted incorrectly) should be
http//www.securityisfun.net/2014/06/booting-up-evidence-e01-image-using.html

But once that is fixed, you are not providing anything meaningful in terms of data needed/useful in assisting you with your issue.

You will need to go through the "standard litany"
https://jdebp.eu/FGA/problem-report-standard-litany.html

describing as much as you can
1) What has worked for you before
2) What is not working for you currently
3) What EXACT settings you have (or had if they changed)

At first sight it sounds like a mis-setting in "boot priority" of the VM, but without knowing EXACTLY what (virtual) device(s) are connected to the machine, where they come from what they contain (or should contain), etc., etc. it is impossible to understand what is happening and (hopefully) solve the issue.

As a side note, the suggestion on the referenced site about enabling LSI_SCSI or LSI_SAS drivers make no sense whatsoever as in 99.99% real cases/hard disk images those drivers won't be present at all in the disk image, rather the opposite will happen i.e. the image will have some SATA drivers enabled and you will need to switch to IDE/ATA ones, using something *like*
https://www.foolishit.com/free-tech-tools/fixide/
or similar for later Windows versions.

jaclaz

 
Posted : 12/04/2018 8:45 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

What kind of image is it?

DD may work right of the bat, but other formats may require you to set an offset so they know where the actual partitions starts.

 
Posted : 12/04/2018 5:20 pm
(@imsdal)
Posts: 17
Active Member
Topic starter
 

I have mirrored a disk with FTK Imager. It is an E01 file.
I use an deltaco harddisk docking station with my 4tb disk, on this I have the E01 file.

I have installed Virtualbox and the addons on my C drive. The evidence is located on my F drive.
I have tried to change the booting order. Right now only the harddisk is ticked, still the same error.

I've also done a physical as well as a physical and logical mount in FTK Imager. The image file contains a installation of Windows 10 64-bit.

In prior cases I have been successful with this very same procedure. But I have also been unsuccessful an equal amount of times.

I do not have a license of VFC and are unable to try this. I need to boot up the evidence since there are Office templates on there which I need to study in Office.

 
Posted : 13/04/2018 9:41 am
(@imsdal)
Posts: 17
Active Member
Topic starter
 

What kind of image is it?

DD may work right of the bat, but other formats may require you to set an offset so they know where the actual partitions starts.

This sounds very likely. I have no idea of how to do this so that Virtualbox can figure it out. Have you had any experiences with this?

 
Posted : 13/04/2018 10:12 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I've also done a physical as well as a physical and logical mount in FTK Imager. The image file contains a installation of Windows 10 64-bit.

Try using the Arsenal Image Mounter instead
https://arsenalrecon.com/weapons/image-mounter/

The logical mount in FTK imager won't ever (i.e. cannot possibly) boot (and I doubt also the Physical ? ).

Provided that the image is valid, it is entirely possible that for *whatever* reasons it doesn't work, I would rather boot the VM from a grub4dos floppy and inspect the contents of the forensics image.

What you imaged (and conversely what you mounted) is critical, since windows 7 at least, a large number of machines have been installed (per MS instructions) with two volumes a "system" one (containing the "boot" files) that normally is NOT attributed a drive letter, and a "boot" one (that contains the "system" files) that normally get drive letter C, if the source was setup like that you should have two volumes mounted (and accessible from the VM).

Another possibility is that the disk is GPT (coming from a physical UEFI machine) and the (virtual) machine has been set to BIOS (as opposed to UEFI) boot.

jaclaz

 
Posted : 13/04/2018 4:04 pm
(@imsdal)
Posts: 17
Active Member
Topic starter
 

Great answers, thank you.

Since I've got it to work with FTK Imager, the physical mount must work. I've tried the software you proposed. It mounts it good, but I get the same error message when trying to open the vmdk in Oraclebox.

Your GPT vs MBR theory seems legitimate. Haven't found any settings to change this is Oracle Virtulbox. Maybe I need to tell its GPT (since Arsenal Image Mounter tells me the partition layout is GPT) while creating the rawvmdk.

 
Posted : 16/04/2018 6:09 am
(@imsdal)
Posts: 17
Active Member
Topic starter
 

I got it to work!!

Using FTK Imager I booted it.
From virtualbox I proceeded to choose "Use EFI (special OS'es only) from there all partitions got listed.
I went in and started the EFI bootloader (\EFI\boot\bootx64.efi) and it popped right up.

Never been happier. Thank you all

 
Posted : 16/04/2018 6:53 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I got it to work!!

Good. )

jaclaz

 
Posted : 16/04/2018 8:30 am
Share: