Encase Evidence File with Virtual Machine (Without PDE Mode)

you can try Mount Image pro or SmartMount. They are great tools for evidence mounting.

yep mount image pro should do the job, or another way is to load the files into encase an then restore the drive to another disk and examine that disc itself.

If the above are too expensive, try ewflib and the associated tools. They work a treat for me.

Paul

You could also convert your image to raw using FTKImager (free) and then using liveview (free) to generate VMWare config files and then opening in VMWare server (free). D

Do the following procedure

1. Download VMware player;
2. Create a Virtual Linux environment with two virtual disks, one for the Linux system and another on for the restored image;
3. Install Linux;
4. Use efwlib to restore the image to the second virtual disk;
5. When the restore is finished, create a new VM with the operating system of your image and attach the restored disk to it.
6. Boot the system.

Hope this helps.

4. Use efwlib to restore the image to the second virtual disk;

I can't find efwlib anywhere, and the previous poster that referred to ewflib had a link to libewf.

If it's free you're looking for P2 Explorer from Paraben can mount the EWF format. I'm currenlty working on getting mount_ewf.exe working on Windows…ran into a couple of issues that I'm trying to get assistance working through.

My usual approach is to use FTK Imager to blow out the EWF to raw/dd format and go from there.

4. Use efwlib to restore the image to the second virtual disk;

I can't find efwlib anywhere, and the previous poster that referred to ewflib had a link to libewf.

I really meant libewf, sorry about the mistake.

I can't find efwlib anywhere, and the previous poster that referred to ewflib had a link to libewf.

Yup, hands up to that one - seems I need to go to the Doctor and see what he can do for my problem…

I think the reason I transposed the syllables is that most of the associated tools that make use of the library start with 'ewf…'.

Incidentally, there is a python script that will 'mount' ewf format files. In fact what it does is expose the raw data which you can then mount on a loop device.

Mounting in this fashion saves on disk space at the expense of processing power (but it is free).

Paul

With the linux-tool xmount (www.pinguin.lu) you can create a (virtual) RAW-, VMware- or VirtualBox-Image on the fly. No need to convert the Encase Evidence File - saves a lot of disk space and time. xmount also supports virtual write access to the output files that is redirected to a cache file.
With an other tool from this site called OpenGates you can easy fix an Windows to run in an virtual environment.

There is also a little HowTo
http//files.pinguin.lu/projects/HOWTO-BootingAcquiredWindows.pdf