Notifications

Clear all

VHDx files

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 12 years ago

3 Posts

3 Users

0 Reactions

2,526 Views

RSS

ThePM

(@thepm)

Reputable Member

Joined: 17 years ago

Posts: 254

Topic starter 18/06/2013 2:25 am

Has anyone been able to analyze the new VHDx images used by Windows 8/Server 2012 using a Windows 7 computer?

EnCase, FTK, X-Ways cannot analyze it.

Mount Image Pro cannot mount it.

From what I've read so far, I have 2 solutions
- Convert the VHDx image to VHD.
- Using Windows 8 Disk Manager, mount the VHDx file (read-only) then image the content of the mounted VHDx file.

The problem is that all my analysis machines are running Windows 7 so I would like to avoid, if possible, having to use Windows 8 on my analysis machine.

Thanks.

Quote

davepawlak

(@davepawlak)

Eminent Member

Joined: 15 years ago

Posts: 29

18/06/2013 7:30 am

What about building a Win8 VM using Virtual Box or VMWare? You could build a small one to suit your needs and then dump it when you are done.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

18/06/2013 3:38 pm

From what I've read so far, I have 2 solutions
- Convert the VHDx image to VHD.
- Using Windows 8 Disk Manager, mount the VHDx file (read-only) then image the content of the mounted VHDx file.

3rd possibility
mount it in a Qemu VM (read only)
http//rwmj.wordpress.com/tag/vhdx/
http//wiki.qemu.org/ChangeLog/1.5

You will need to check if also the Windows version has this possibility.
Virtualbox should also have that support (still read only).

jaclaz

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
278 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed