Hello
i'm looking for an alternative to liveview that is actually maintained.
I need to virtualize a raw DD image from a forensics acquisition.
I'd use xmount, but unfortunately at the moment i'm stuck with a windows box, and i have to deal with it.
I've also tried to do nasty things like using the FTK image mounter and then adding the "physical drives" to a vmware machine, but that didn't work… p
any advice is apreciated.
thanks
GetData's Virtual Forensic Computing ("VFC") enables investigators to
"rapidly boot a forensic image of a suspects computer; or boot a physical write blocked hard drive. A Virtual machine can be created from a forensic image, a write blocked physical disk or a 'DD' raw flat file image.
VFC3
- Added detection of VMware work station 10 and Player 6
- Added support for parsing partitions on GPT formatted disks
- Added support for PWB routines when using a GPT formatted target disk
- Modified progress display for analysis and generate routines
- Fixed minor bug in ViewSectors dialog to prevent read past end of disk
- Added option to go to last sector of disk in ViewSectors dialog
- Added remnant hive removal check when forced dismount of vmdk is necessary
- Bypass any Windows user account password;
- Rewind a machine to 'last week' utilizing restore point forensics.
Source http//
If you have the money, then VFC is a good solution. If you don't, the excellent
i've followed this approach as i have a vmware workstation, but for some odd reasons the VM doesn't boot.
meaning it's not detecting the OS on the disk.
I have to say that this is a particular scenario, where i have 2 images which are part of a software raid1 built from windows server 2003…
i don't know if that might be the reason tho
I have to say that this is a particular scenario, where i have 2 images which are part of a software raid1 built from windows server 2003…
i don't know if that might be the reason tho
That is surely the issue at hand, I cannot remember any VM that has built-in support for RAID setups, but a RAID 1 (software or hardware) is a "plain" mirror
http//
i.e. each of the original disks should be byte by byte identical to the other (and conversely you need only one image) so I guess WHAT exactly you have in your hands. 😯
jaclaz
jaclaz
sorry for the late reply, it was a busy day )
anyway the situation is this
i have dd images of 2 disks which were inside a server
the two disks are a software raid1 (not made with a controller or fakeraid stuff) built stright from inside windows.
On the original hardware the system was booting from them no problem.
So i took the images and added them as virtual disks to vmware, and i was expecting the VM to boot as the real system would do.
unfortunately it didn't work.
anyway, not a big deal anymore, i managed to solve my issue in another way ) putting virtualization aside and isolating the evidences i needed from the dead system and running them back on another machine i created for the purpose.
anyway the situation is this
i have dd images of 2 disks which were inside a server
the two disks are a software raid1 (not made with a controller or fakeraid stuff) built stright from inside windows.
And AGAIN, either they were NOT a RAID 1 or their contents were IDENTICAL (and you need just one of them).
Maybe they were mirrored dynamic volumes and not strictly speaking RAID 1? ?
https://
Mirrored volumes are fault tolerant and use RAID-1, which provides redundancy by creating two identical copies of a volume.
Or *something else*? ?
Check the partition ID in the MBR, if they are dynamic volumes that would be 42 instead of 07 and you would find in the last Mb or so the Dynamic disk LDM database.
jaclaz
Do you know OpenLV (
K.W.
Hi,
didn't know that… taking a look right now and see if it's worth adding it to the arsenal
THanks very much
mh, looks like a fork of liveview.. let's see
Hi, we had the same issues so we developed our own free method using readily available free software.
We posted the method on my website here..
http//
Larry