keydet89,
Does anyone have any experience with it?
yes D
very good tool for mount dd image.I think ,getdata used experience of vdk for making "mount image pro".
old version of "mount image pro" and vdk use identical command etc.
After looking around a bit, here's what I've found (with the caveat that I've tested portions of this at various points, but not all of it together)…
With a dd image of a system, taken with FTK Imager Lite, ProDiscover, or plain ol' dd, you can then use either LiveView or even ProDiscover to create the necessary .vmdk files. From there, get the following
VDK
http//
VDK GUI
http//
**Don't forget the core files
Alternatively, you can use Virtual Drive Manager
http//
At this point, you should have everything you need to mount a dd-image as a read-only drive letter. I tried using the VMWare-mount utility (DiskMount), but it is NOT read-only.
Again, like I said, I haven't testing this all the way through…but I have used LiveView before, and I pointed VDK at a .vmdk file from one of my VMWare sessions and was successful in mounting the K drive. This was against an XP VMWare session.
Thanks for your help everyone! Unfortunately, this issue came up *after* the chapter of my book that talks about alternative methods of analysis went to production! 😉
Maybe something for the website that supports the book?
Without a doubt…wait, there's a website??? 😉
Since I've got some other stuff in the works already, I may have to create a "stuff that didn't make it into the book" label on my blog…
Again, like I said, I haven't testing this all the way through…but I have used LiveView before, and I pointed VDK at a .vmdk file from one of my VMWare sessions and was successful in mounting the K drive. This was against an XP VMWare session.
Harlan,
If you do test this all the way through and plan to post it on your site, can I assume you will let us know here? I am curious to see the final results.
Everyone,
Also is there a better way to mount an E01 image other than purchasing Image Mount Pro? Would it just be better to convert it to a dd an go that route?
EnCase PDE and VFS modules. I don't know the cost of the individual modules.
AFAIK Encase PDE and VFS cost considerably more than MIP.
I regularly use MIP to mount and boot images and have recently developed an app called VFC (Virtual Forensic Computing) which has around a 95% success rate in getting past the BSOD. At the moment it is only available to LE and government but should be available to others soon.
VFC does not require any conversion or dd images, it works direct from the mounted E0 (or S0 or dd) image. It doesn't get past activation but there are other methods to employ once it is booted which work 100% of the time.
I have tried to use LiveView but on closer inspection have found that it uses some of my prior research in this area and as such will only work for about 50% of the images it tries to boot.
BraneRift,
> If you do test this all the way through and plan to post it on your site, can I
> assume you will let us know here? I am curious to see the final results.
When I finally get a chance to try this out, end-to-end, sure I'll post it on my blog…but I'm not sure I'm going to go around reposting it over and over on other sites.
Of course, everything you need, even a test image, is freely available online.
Harlan
All,
I'm testing out the process end-to-end, and I've run into a small problem. LiveView does a great job of creating .vmdk files for dd images so that they can be opened in VMWare, but VDK balks with an "unknown extent type" error. I've used ProDiscover's ability to create the .vmdk file, and that worked great with VDK.
I'm looking for options for creating .vmdk from dd image files. I'm looking at using qemu-img.exe, but I'd like to see if I can't locate some other freeware options for doing this.
Thanks,
Harlan