I haven't tried this yet (but I'll try it this week), but would it be possible to;
*Edit the machine settings by adding a physical drive (to hold your image)
*Boot your VM suspect machine with a forensic boot floppy/CD
*Create an image of the VM suspect machine to the added physical drive with whatever tool you have on your floppy/CD (encase, replica, safeback, etc..)Brett
Yes, I do this routinely, if this is what you mean Mount an image as a physical disk with Mount Image Pro, create a VM with a virtual disk, boot it with your CD. Then restore the mounted disk to your VM with, for example, Ghost. This system actually works better in some cases. Mick Penhallurick's paper, which I cited in my ForensicWiki article, describes this in depth. I've found the process will result in a bootable machine when you fail to boot the same image directly.
Andy,
> Since posting last I've found a small program…
Great. But is the name and location of that program a secret? If so, why?
Perhaps its VDK, available free at http//
I haven't tested it's read-only capability.
Sorry, I've been busy and not had chance to catch up with the board.
The software is VMware DiskMount, and I downloaded it from here -
http//
Also, when I posted I completely forgot you can drag a .vmdk file straight info EnCase v 5 and image it out from there.
I've not really looked too deeply into ProDiscover so forgive my ignorance, but is the server a free utitliy? I'll go on the site and take a look at it.
Since posting last I've found a small program that mounts a vmware image in Windows (and gives you a drive letter), this then let me image the drive as a normal attached device.
.
Earn?
Sorry disregard