EnCase doesn't proc...
 
Notifications
Clear all

EnCase doesn't process Virtual Machine Image  

elchinmv
(@elchinmv)
New Member

Hello folks,

I have VDI image that I need to examine for IR purposes. I am trying to use EnCase to process/ analyze but EnCase doesn't produce any results. I converted the image to Raw and E01 using FTK imager to see if it makes a difference, but still, EnCase doesn't extract the file contents. Magnet Axiom, however, does extract the file contents. Does anyone have any hands-on experience with using EnCase for VDI images? I appreciate any help you can provide.

Quote
Topic starter Posted : 28/08/2020 12:29 am
Rich2005
(@rich2005)
Senior Member

What's the file-system in the VDI? Something EnCase doesn't support?

I would have thought it should be OK if you've converted to RAW and added it.

Alternatively I suppose you could try using vboxmanage to convert it to vmdk and see if that allows it to load (not used EnCase in years but pretty sure it supports VMDK's).

ReplyQuote
Posted : 28/08/2020 9:44 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @elchinmv

Hello folks,

I have VDI image that I need to examine for IR purposes. I am trying to use EnCase to process/ analyze but EnCase doesn't produce any results. I converted the image to Raw and E01 using FTK imager to see if it makes a difference, but still, EnCase doesn't extract the file contents. Magnet Axiom, however, does extract the file contents. Does anyone have any hands-on experience with using EnCase for VDI images? I appreciate any help you can provide.

How (exactly) did you capture the VDI image?

Are we talking of the VirtualBox VDI format?

Why (the heck) did you capture it in VDI format? <- only rethorical question

In any case, if the image was converted properly to RAW, Encase (or any other tool for that matters) won't have any issue with it.

Which probably means that *somehow* the image wasn't properly converted.

Try with other conversion tools, if it is a Virtualbox .vdi, try Virtualbox's Vboxmanage, or Vbox-img  or Qemu's qemu-img:

https://gist.github.com/hightemp/11196851

A RAW or "dd-like" image is a 1:1 copy of the disk, so you can verify it is a valid disk image with almost *any* tool.

jaclaz

 

 

 

ReplyQuote
Posted : 28/08/2020 9:44 am
EnCaseDC
(@encasedc)
New Member

Hi Elchinmv,

 

Don't be shy to reach out to our technical services if you have an issue. And if there's a problem with the image itself, or if there's an enhancement required for our parsing, this is one of the ways we can continue to grow the product.

ReplyQuote
Posted : 09/09/2020 4:02 pm
Share: