Hi there,
I've virtualised an ISO image (host machine OS is Windows Server 2003 R2; ISO machine is Windows XP Home Edition), but it is asking me for a windows activation before I log-in
"This copy of Windows must be activated before you can log on. Do you want to activate Windows now? Yes / No".
I cannot activate Windows as (as I understand it) this will change the attributes of the ISO image which will affect the admissability of anything we pull off the system once logged in, so I'm wondering if there is anyway I can work around this and make the virtual ISO image think that the activation has happened when in fact it hasn't?
Thanks in advance for any hints or tips you can give.
Kate
You didn't say which VM you are using but you have a couple of options. If you create a VMWare VM with LiveView you have the option of write protecting the VM. Also, there are some tips on the VMWare site including configuration options which may help to avoid the problem that you are seeing.
But, in general, activated Windows detects most hardware changes (including moving the image to a VM), as requiring a new activation. There isn't much that you can do to avoid this. You could try to make sure that the memory allocated to your VM is identical to the physical memory of the source system, but there isn't much else that you can do. All of the "solutions" for removing Windows Activation would require changes to the image.
Further, it is a moot point, I think. First, you have a copy of the image which you can preserve as your forensic duplicate. Second, if the VM is asking for Windows activation, there have been changes to the image, already. Finally, it is a given that live analysis necessitates changes to the image. The key is to be able to document these and defend the necessity of doing this.
Hi seanmcl,
Thanks for your post. I am using VMWare Workstation.
Your moot points are interesting actually - definately some food for thought there. I have been advised that it is acceptable to alter the ISO image in order to gain logon on access as long as the original remains unaltered and it can be shown that any documents gained from the 'altered' ISO image can be replicated from the original.
I guess I will have to be extra diligent in my reporting on this one.
Thanks for the advice.
Kate
When booting the VM if you boot into safe mode it will bypass the need to activate windows. For a windows XP machine press F8 to get into safe mode.
Hi, will booting it in safe mode mean I will still be able to access the software?
Cheers,
K
Hi, will booting it in safe mode mean I will still be able to access the software?
Cheers,
K
Many services won't run, including the installation service, antivirus products, and the like. Perhaps you can go into a little more detail as to why you want/need to boot the system but from my perspective, the reason to create a VM is to look at the behavior of a live system. Safe Mode will not give you that since the purpose of Safe Mode is to to allow you basic Windows functioning without all the possible "problem" applications which could start up.
If you simply want to look for files, using a forensic package on the image would probably be more useful. If you need to know what the system looked like when it was last operated, Safe Mode won't do it.
I'm sure that there are valid reasons to enter Safe Mode for Live Analysis but I haven't found any.
yeh i agree with whats been said. I like virtualising to get a feel for how the system is set-up and some indication of how the user has used it. Some times it is very quick method for answering questions. However I would not be happy trying to present evidence i had found using this method alone. Id be looking to find the evidence with a forensic tool and then use the virtual machine to confirm any theories I had that the image alone could not answer.
