I created a Windows XP virtual machine and i'm just messing about with it, creating files etc. Ideally I want to be able to turn the XP vm into an E01 file so I can "examine" it in EnCase (or even examine it in FTK or linux forensic tools). Is This possible? If so, how would you obtain a bit-for-bit copy of the XP VM.
Thanks in advance.
I created a Windows XP virtual machine and i'm just messing about with it, creating files etc. Ideally I want to be able to turn the XP vm into an E01 file so I can "examine" it in EnCase (or even examine it in FTK or linux forensic tools). Is This possible? If so, how would you obtain a bit-for-bit copy of the XP VM.
Thanks in advance.
Why would you want to use a E01 format (if not for using it within Encase)?
FTK imager can image to E01, however
http//
But, depending on the actual VM you are running and on the specific hard disk image type you are using, you might ALREADY have an image compatible to be converted in "dd" or even in E01. (no need for imaging anything)
jaclaz
Hi Jaclaz, thanks for the reply.
It doesn't have to be E01, I would settle for anything that I can examine in EnCase or FTK. I did read something about 'DD'. I believe it stands for disk-dump? I haven't used it before but if I understand correctly, I should be able to use 'DD' to create an image of the XP virtual machine.
Hi Jaclaz, thanks for the reply.
It doesn't have to be E01, I would settle for anything that I can examine in EnCase or FTK. I did read something about 'DD'. I believe it stands for disk-dump? I haven't used it before but if I understand correctly, I should be able to use 'DD' to create an image of the XP virtual machine.
No, the actual origin of the name "dd" is much more complicated than that, it means "copy and convert" (don't ask 😯 ).
JFYI
http//
http//
it seems like it is a joke, but unix programmers (let alone IBM ones) were never famous for a particularly good sense of humour wink
What I meant was that a VM (if you post some actual info on WHICH one you are using) uses a file as virtual disk (the file is already an image of the virtual disk).
The format of this file is often already a "dd" image (or a compatible one, very easy to convert to "dd" format).
Again if you provide the VM and the EXACT specific type of virtual disk you created, I can be more precise.
It is very likely that you do not need to "image" anything, but to simply copy a file (and if needed "convert" it).
If you want to image that, you would need to mount that virtual disk image file through (I presume you are running some form of Windows as "host "system) a virtual disk driver or some kind, in order to have it "exposed" to the Windows system as "device".
jaclaz
I had to laugh when I saw the title of that post "Why everything is so d@mn diificult? (a web quest for dd.exe)" lol
Sorry, I should have supplied a bit more information. I'm using a Macbook Pro (OSX 10.8.4) and virtualBox 4.2.16. I installed XP using the standard VDI (virtualBox disk image) option.
I have a Windows 7 PC which has EnCase + FTK on (which I would be examining the image on).
I installed XP using the standard VDI (virtualBox disk image) option.
Yep, that may be the "standard option", but I cannot say from that which "kind" of VDI you are using.
You may want to go through this thread
http//www.forensicfocus.com/Forums/viewtopic/t=10818
If it is "static", qemu-img should have no issues in converting it to "dd" or "RAW".
If it is "dynamic" you might need to "expand" it to "static" (even though sparse-backed) and then use qemu-img on it.
There are also Windows ports of Qemu that do include qemu-img.
jaclaz
Thanks I'll look into that now. It's dynamic. Looks like i'm in for a fun sunday )