Not sure if it is possible, but one thing I have been thinking about is the ability to create a bootable hard drive from an existing DD Image (or smart or E01).
Something I have been tinkering with because we do a lot of malware investigations and the only way to see the malware is turn the hard drive on.
So, assume I have a suspect hard drive, I use FTK imager to create a DD image. Now, is it possible to take that DD image and convert it to some sort of hard drive that I can plug into another system to boot?
As of right now, I am taking suspect hard drives and cloning them to another hard drive using a hardware cloner. Once I have my clone, I am working on a method to take that and convert it to a virtual machine that we can stand up.
Anyone have any thoughts on the above?
Thanks.
JW
You should take a look at Live View http//liveview.sourceforge.net/
If you want to run it in a VM, you can use http//
> dd if=/job/image1.dd of=/dev/sda
Adapt to suit your drive and image name.
Ditto for LiveView from CERT CC.
One thing to keep in mind for either option, is Windows Activation. If the machines you convert are not Volume license, then it is very likely that the activation of the OS will get tripped by the change to virtual HD.
It has happened to me several times. At this point, the system will start up, but you will not be able to log in.
Mark
Not sure if it is possible, but one thing I have been thinking about is the ability to create a bootable hard drive from an existing DD Image (or smart or E01).
dd image… how about dd? But perhaps I don't understand the problem?
.E01 … if you have Encase, just restore the image to drive. Or export to dd using the appropriate EnScript. Or mount as emulated disk drive with whatever tool you are using (Encase PDE, Mount Image pro, …), and dd from there.
If you want to go VMWare virtual machine, LiveView has already been mentioned . It does fail in some cases, though. I believe LiveView adjusts machine (and registry?) settings, so if you absolutely have to do hard drive, you may want to take the LiveView disk image and restore that.
There's a SourceForge project raw2vmdk that does just the basic conversion it sets up a vmdk file to refer to your dd image. (You probably want to snapshot it as soon as you can.) I recently tried it out, and it did manage to make sense of the image that LiveView failed to do, so it's probably useful tool to have around.
If your environment is Linux, the QEMU emulator has a converter product. Not very fast, from the descriptions I've read so far, but it understand vmdk format.
Very nice.
Thanks everyone for your input.
Going to give liveview a spin today.
Thanks again.
JW
You could also look into Speed Clone which can literally just clone the suspect drive to another clean drive bit for bit. This would be an easier and less time consuming option then taking an image and then converting that image over, its basically skipping a step.
Look into Mount Image Pro. We use it a lot and I have never had an issue with it. We also purchased Virtual Forensic Computing with it to be able to create VM's of the images.
Ditto for LiveView from CERT CC.
One thing to keep in mind for either option, is Windows Activation. If the machines you convert are not Volume license, then it is very likely that the activation of the OS will get tripped by the change to virtual HD.
It has happened to me several times. At this point, the system will start up, but you will not be able to log in.
Mark
You can bypass this problem rather easily
1 - Boot into safe mode
2 - Go to start / run and type in 'rundll32.exe syssetup, SetupOobeBnk' (without the quotes and then
3 - restart the computer. You'll be able to login for another 30 days …
That's for Win XP. Not sure about other systems …
If your environment is Linux, take look at xmount (https://
If you only convert the image then qemu or VBoxManage (from the VirtualBox) is your friend, also in Windows environments.