Just looking for some software - preferably free to create the necessary virtual files from a mounted image. Ideally I want to generate them from Win7 images however, Live view stopped support at vista. Is there any other software/methods out there i could use which I may have overlooked, given a non existent budget?
Thanks
It's very easy to create a VMDK to add in VMware. First create a virtual machine with a pre-allocated disk image, the smaller the disk image the better it is since it's going to be discarded but make sure it's at least 10GB so that the LBA CHS parameters will be set correctly.
Then convert your forensic image to RAW (DD) if it's not RAW already. Copy it where you created the virtual machine, open the small VMDK descriptor file and change the following line
# Extent description
RW #SECTORCOUNT# FLAT "#INSERTFILENAMEHERE#" 0
Now if the machine BSODs it's likely going to be because you need to enable/disable AHCI or other storage drivers in the registry using the offline NT registry editor. I can list you all the changes if needed.
BTW I read recent versions of VMware can automatically virtualize (with all the required registry changes) physical machines, maybe it also does that for disk images?
If *needed* there is here a simple batch (for "old style" .pln file descriptors)
http//www.forensicfocus.com/Forums/viewtopic/p=6518434/#6518434
and here an AutoIt for VMDK file descriptors
https://
or raw2vmdk
http//
jaclaz
A bit more info
To convert a RAW (DD) image to VDI (VirtualBox Disk Image) you can use "%Program Files%\Oracle\VirtualBox\VboxManage.exe"VBoxManage convertdd "INPUTNAMEFILE.DD" "OUTPUTNAMEFILE.VDI" --format VDIYou can also use VBoxManage to create a VMDK by using "–format VMDK" but the file created (as far as I remember) it's not a flat (RAW) type. If the VMDK is non-flat the descriptor is stored along with the data and that becomes an annoyance in case you need to change controller type.
If the VM BSODs with INACCESSIBLE_BOOT_DEVICE (STOP 0x0000007B) you have to set the correct controller drivers e.g. by mounting the SYSTEM hive on a live Windows system or using a bootable registry editor (like Offline NT Password & Registry Editor). To boot a VMDK configured as IDE you have to change the Start value of following subkeys inside "HKLM\System\ControlSet001\Services".
AliIde 3
AmdIde 3
atapi 0
CmdIde 3
iaStor 3
iaStorV 3
IntelIde 0
PciIde 3
ViaIde 3
viamraid 3
Msahci 3
LSI_SAS 3
Hi,
You can use FTKi to mount E01 images and run it from VirtualBox (tested with FTKi v3.1.4.6 and VirtualBox v4.3.10)
1. Mount the image in FTKi and note the 'PhysicalDriveNumber' ie PhysicalDrive4
2 With VirtualBox installed, drop to command line (amend accordingly to match your filepaths and desired VMDK name etc)
C\Program Files\Oracle\VirtualBox>VBoxManage internalcommands createrawvmdk -filename c\Users\<user>\1234.vmdk -rawdisk \\.\PhysicalDrive4
3. If you are successful, in CMD, you will see RAW host disk access VMDK file c\Users\lab\1234.vmdk
4. Open VirtualBox, create a VM (or use an existing one) and then in settings click on STORAGE and CONTROLLER and next to the ATTRIBUTES dropdown use the drive select icon to navigate and select your newly created VMDK.
5. Start the virtual machine and it should work.
Rgds
Thanks guys,
I will try all of the solutions and report back.
Thanks again