Argthtjtr

I have used Encase to capture a disk image in a forensics nvestigation. The problem is that a certain application that resides in the image won't run if it is not installed properly. I want to boot from the image (a virtual machine) and then operate with the application in question.

Any ideeas ?

First make sure your disk image is in raw format. Either Encase already stores it in raw format or it will be able to export it in raw format.

For VirtualBox you can use the vboxmanage command with the convertfromraw option. This converts your disk image to a format that is readable for Virtualbox.

Make sure you always mount a copy of your image in a real or virtual machine, so your original image isn't compromised.

Next you can create a Virtual machine using the converted image as primary disk (to boot from it) or use any forensics OS and mount the disk in the VM for further inspection.

Finally I found three links that might be usefull:

• VirtualBox running Encase file


• VirtualBox - convert RAW image to VDI and otherwise


• Mounting E01 images of physical disks in Linux Ubuntu 12.04

To do virtual reconstruction (using an existing .e01 or .dd/.img), I do the following:

• use Access data's ftk imager (version 3 or later) to mount the image (windoze) or you can use mount image pro to do the same


• To convert a raw image to vmdk, I have used the following tool and it works well - http://sourceforge.net/projects/raw2vmdk/ (FYI, to do the opposite, convert vmdk to dd.


• You can use VFC (Virtual forensic computing -http://www.virtualforensiccomputing.com/) which will create the virtual image for you. Depending on partition layout, find the active boot partition. Generate the VM and then you can open the .vmx using vmware player or workstation.


• This will allow you to convert the .e01 or dd/img image into a .vmdk, boot it up using vmware, and then do application analysis on any app you want via the reconstructed .e01 to .vmdk.

So you don't have to create a new image at all. DO ALL THE NEXT STEPS AS ADMINISTRATOR!

Mount the .E01 image using FTK Imager and give it a write cache. Note what physical drive the image is mounted to.

The best option is to use the command

vboxmanage.exe internalcommands createrawvmdk -filename "C:SomePathsomefile.vmdk" -rawdisk \.PhysicalDrive2

NOTE: Physical Drive Number 2 is used as an example, use whatever drive it says in ftk.

The command creates a .VMDK pointer to the mounted image file. You can now create a machine within virtual box, give it the right OS and add the .VMDK pointer in as the HDD. The system should now boot.

TROUBLE SHOOTING ISSUES NOTE:

If the system blue screens it can be the hard drive controller. Change the controller from SATA to IDE within the Virtual Machine settings. Then try changing the drop down controller box to ICH6.

If the system is UEFI you will have to check the UEFI box.

RUN EVERYTHING AS ADMINISTRATOR! This can be a reason why it won't virtualize.

Other than this good look :)