Notifications
Clear all

LiveView  

  RSS
hunterw
(@hunterw)
New Member

Has anyone ever used LiveView, validated it, etc . . . . ??

http//liveview.sourceforge.net/

Quote
Posted : 30/08/2006 6:57 pm
keydet89
(@keydet89)
Community Legend

Don't know what you mean by "validated it", but…

http//windowsir.blogspot.com/2006/08/liveview.html

ReplyQuote
Posted : 30/08/2006 8:39 pm
Andy
 Andy
(@andy)
Active Member

Live View does a brilliant job of converting DD image file data for VMWare, but does anyone have an easy method of converting a VMware (vmdk) image to a DD (or EnCase) image, or any methods for creating an image from a VMware guest?

Andy

ReplyQuote
Posted : 09/09/2006 3:07 pm
keydet89
(@keydet89)
Community Legend

Yes, I do. Fire up the VMWare guest, pop in a CD containing the ProDiscoverIR Server agent, and acquire the image.

ReplyQuote
Posted : 09/09/2006 5:53 pm
Andy
 Andy
(@andy)
Active Member

I've not really looked too deeply into ProDiscover so forgive my ignorance, but is the server a free utitliy? I'll go on the site and take a look at it.

Since posting last I've found a small program that mounts a vmware image in Windows (and gives you a drive letter), this then let me image the drive as a normal attached device.

ReplyQuote
Posted : 10/09/2006 2:33 am
bshavers
(@bshavers)
Active Member

I haven't tried this yet (but I'll try it this week), but would it be possible to;
*Edit the machine settings by adding a physical drive (to hold your image)
*Boot your VM suspect machine with a forensic boot floppy/CD
*Create an image of the VM suspect machine to the added physical drive with whatever tool you have on your floppy/CD (encase, replica, safeback, etc..)

Brett

ReplyQuote
Posted : 12/09/2006 5:25 am
dietro
(@dietro)
Member

but does anyone have an easy method of converting a VMware (vmdk) image to a DD (or EnCase) image, or any methods for creating an image from a VMware guest?

Point FTK Imager to the VMDK file and it will open it as if it were a disk image. You can then export an image of it.

ReplyQuote
Posted : 12/09/2006 7:18 pm
keydet89
(@keydet89)
Community Legend

Andy,

> Since posting last I've found a small program…

Great. But is the name and location of that program a secret? If so, why?

Regarding the server component of PD…no, it isn't free, it's part of the product. Sorry. It is a very sweet product…I'm working with 4.8a now.

ReplyQuote
Posted : 13/09/2006 4:06 am
chague
(@chague)
Junior Member

> Since posting last I've found a small program…

I think what Andy is referring to is the vmware disk mount utility, but I could be wrong…;-)

http//www.vmware.com/download/eula/diskmount_ws_v55.html

ReplyQuote
Posted : 13/09/2006 4:39 am
keydet89
(@keydet89)
Community Legend

Chague,

Thanks, but I don't think we'll know until Andy lets us know.

Thanks,

H

ReplyQuote
Posted : 13/09/2006 4:58 am
JimmyW
(@jimmyw)
Member

I haven't tried this yet (but I'll try it this week), but would it be possible to;
*Edit the machine settings by adding a physical drive (to hold your image)
*Boot your VM suspect machine with a forensic boot floppy/CD
*Create an image of the VM suspect machine to the added physical drive with whatever tool you have on your floppy/CD (encase, replica, safeback, etc..)Brett

Yes, I do this routinely, if this is what you mean Mount an image as a physical disk with Mount Image Pro, create a VM with a virtual disk, boot it with your CD. Then restore the mounted disk to your VM with, for example, Ghost. This system actually works better in some cases. Mick Penhallurick's paper, which I cited in my ForensicWiki article, describes this in depth. I've found the process will result in a bootable machine when you fail to boot the same image directly.

Andy,

> Since posting last I've found a small program…

Great. But is the name and location of that program a secret? If so, why?

Perhaps its VDK, available free at http//chitchat.at.infoseek.co.jp/vmware/vdk.html
I haven't tested it's read-only capability.

ReplyQuote
Posted : 18/09/2006 9:40 pm
Andy
 Andy
(@andy)
Active Member

Sorry, I've been busy and not had chance to catch up with the board.

The software is VMware DiskMount, and I downloaded it from here -

http//petruska.stardock.net/Software/VMware.html

Also, when I posted I completely forgot you can drag a .vmdk file straight info EnCase v 5 and image it out from there.

ReplyQuote
Posted : 19/09/2006 1:13 am
Earn
 Earn
(@earn)
Active Member

I've not really looked too deeply into ProDiscover so forgive my ignorance, but is the server a free utitliy? I'll go on the site and take a look at it.

Since posting last I've found a small program that mounts a vmware image in Windows (and gives you a drive letter), this then let me image the drive as a normal attached device.

.

ReplyQuote
Posted : 22/09/2006 1:46 am
Andy
 Andy
(@andy)
Active Member

Earn?

ReplyQuote
Posted : 22/09/2006 2:01 am
Earn
 Earn
(@earn)
Active Member

Sorry disregard

ReplyQuote
Posted : 22/09/2006 4:09 am
Share: