Join Us!

Loading E01 files i...
 
Notifications
Clear all

Loading E01 files in VMWare Player  

  RSS
sovietpecker
(@sovietpecker)
Junior Member

Hello guys,

I would love to mount a copy of a forensically acquired E01 file into VMWare Player. I know Forensic Explorer with Mount Image Pro has a great solution that works well with VMWare Player, but i want to know if i need Forensic Explorer to do that.

So what i have is an E01 image file, which is split into several files because i chose that option when creating the image. Also, I have VMWare Player installed.

Could someone tell me what process to follow or if there are any online resources i could follow to achieve this.

Thanks.

Quote
Posted : 06/07/2017 8:10 pm
jaclaz
(@jaclaz)
Community Legend

I would love to mount a copy of a forensically acquired E01 file into VMWare Player.

Mount or boot from? 😯

And if mount at which level?

There is an IMDISK proxy for EWF images
http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/

And OFSMOUNT (which is a derivative of IMDISK) has EWF/.E01 compatibility
http//www.osforensics.com/tools/mount-disk-images.html
but as you might know IMDISK only exposes the volume, not the disk.

There have been some talking about having the same functionalities in Arsenal Image Mounter (which is a "whole disk" driver)
http//reboot.pro/topic/19725-mounting-windows-81-disk-from-ewf
cannot say if in the meantime the feature has been fully debugged and added to the release, you'll have to check.

jaclaz

ReplyQuote
Posted : 06/07/2017 8:47 pm
sovietpecker
(@sovietpecker)
Junior Member

I would love to mount a copy of a forensically acquired E01 file into VMWare Player.

Mount or boot from? 😯

And if mount at which level?

There is an IMDISK proxy for EWF images
http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/

And OFSMOUNT (which is a derivative of IMDISK) has EWF/.E01 compatibility
http//www.osforensics.com/tools/mount-disk-images.html
but as you might know IMDISK only exposes the volume, not the disk.

There have been some talking about having the same functionalities in Arsenal Image Mounter (which is a "whole disk" driver)
http//reboot.pro/topic/19725-mounting-windows-81-disk-from-ewf
cannot say if in the meantime the feature has been fully debugged and added to the release, you'll have to check.

jaclaz

Thanks for the reply jaclaz,

I actually want to boot from it not just mount it. Sorry for the confusion.

ReplyQuote
Posted : 06/07/2017 9:51 pm
jaclaz
(@jaclaz)
Community Legend

I actually want to boot from it not just mount it. Sorry for the confusion.

Well technically it is simply not possible. 😯

The EWF is (should be) a Read Only format, the whole point being that it is (should be) evidence.

When you boot from a disk image (particularly a Windows OS, which is likely the case even if you didn't mention it) there are a huge number of changes to the filesystem and Registry needed as drivers will need to be adapted from the original "real machine" ones to the ones needed for the Virtual Machine, and BTW this process is not usually as easy as you seem to believe it to be.

Nothing however prevents you from converting the EWF to a RAW image and then "convert" this latter into a VMDK, VmWare player uses/can use a VMDK format that consists in a plain RAW image + an external descriptor file which is very easy to create, there are several suitable tools, but it is easy to create also manually or script.

As well (but I cannot say if it applies specifically to VMware, and particularly to VMPlayer), many VM's can use a \\.\PhysicalDrive, so another easy way is to restore the EWF image to a disk and just connect the disk to the VM.

jaclaz

ReplyQuote
Posted : 06/07/2017 10:29 pm
sovietpecker
(@sovietpecker)
Junior Member

I actually want to boot from it not just mount it. Sorry for the confusion.

Well technically it is simply not possible. 😯

The EWF is (should be) a Read Only format, the whole point being that it is (should be) evidence.

When you boot from a disk image (particularly a Windows OS, which is likely the case even if you didn't mention it) there are a huge number of changes to the filesystem and Registry needed as drivers will need to be adapted from the original "real machine" ones to the ones needed for the Virtual Machine, and BTW this process is not usually as easy as you seem to believe it to be.

Nothing however prevents you from converting the EWF to a RAW image and then "convert" this latter into a VMDK, VmWare player uses/can use a VMDK format that consists in a plain RAW image + an external descriptor file which is very easy to create, there are several suitable tools, but it is easy to create also manually or script.

As well (but I cannot say if it applies specifically to VMware, and particularly to VMPlayer), many VM's can use a \\.\PhysicalDrive, so another easy way is to restore the EWF image to a disk and just connect the disk to the VM.

jaclaz

I do not think that the fact that the EWF is read only is an issue. All ISO files are read only. I mean if i create a linux ISO or take a linux ISO and create a bootable VM from it , it would not alter the original ISO file.

The example you gave with the restoration to disk seems similar of how the Forensic Explorer does it. http//www.forensicexplorer.com/live-boot.php

ReplyQuote
Posted : 06/07/2017 10:36 pm
jaclaz
(@jaclaz)
Community Legend

I do not think that the fact that the EWF is read only is an issue. All ISO files are read only. I mean if i create a linux ISO or take a linux ISO and create a bootable VM from it , it would not alter the original ISO file.

And - surprisingly enough - Windows based PE's can as well boot off .iso's just fine.

Windows installs cannot (and won't)[1].

But of course you are welcome to try.

jaclaz

[1] It is possible, for special builds, involving a RAMdisk to boot even a "full" Windows from a read only media, but it is not your case.

ReplyQuote
Posted : 06/07/2017 11:27 pm
Share: