I'm interested inanyone using VM PLayer. Do you have a good option for creating the virtual sessions to use in VMP?
Looking for a low or no cost option.
Thanks
Bill
You know, VMWare.com provides a number of freely available applicances for download…
http//
Thanks Harlan;
Have you personally used any of these to mount a suspect drive using VMP?
Bill
Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to "boot up" the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra "throw away" copies of the disk or image to create the virtual machine.
I have used it (for play only) and it is pretty slick.
My 2 centavos,
I have used LiveView several times. IT ROCKS! PM me if you have any questions. Be aware that you will need to be connected to the internet to complete the installation. It downloads all the dependancies for you. It allows you to "see what the suspect saw", right from a dd ir e01 image. Good for showing stuff in court, but I don't use it for my investigation phase of my cases.
In the end, you have all the .vmk files to work with VM Player.
Also, you will need to get a (free) VM Server license.
Enjoy….
I am making an assumption that you have access to the E01 evidence files here but here goes
I work in law enforcement and always liked to view suspect computers in a virtual environment where possible just to get a feel for the computer if nothing else.
Other advantage is that it is easier for others such as lawyers to understand when shown in the "normal" way as opposed to the Encase or FTK etc display method.
Using the Encase virtual machine and VmWare method I had a poor success rate in recreating the drives and at times the length of time needed to get there was prohibitive.
For example there were times when I needed to create a virtual XP machine, load Encase and associate the dongles into that virtual machine then load the evidence files into this virtual Encase. Then having done that create another virtual drive and recreate the virtual encase case to this new virtual drive and use that to mount the suspect machine in VmWare. See what I mean about a lengthy procedure.
Now however i have found a little utility called "VFC". It costs about £200 and with this I have had a 100% success rate so far in creating virtual machines ( have done about 16).
Used in conjunction with Mount Image Pro you do not even need to have Encase running, just access to the Evidence files. It also recognises dd image files so you dont even need MiP.
I have to say that for the price it is by far the best piece of software we have bought for a long time in respect of actually doing what it says it does.
It is supplied by a company called MD5 in the UK.
The website is
I should say that I have nothing at all to do with this company. )
Another VM toolset worth considering is Xensource - yes I know it is open source, but it gives you another tool for the kitbag; particularly for those occasions when VMware might not cut the mustard…