In this step we’ll add our target system virtual disk to our SEAT VM. We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.
As you saw, we chose to add the disk as an independent disk in non-persistent mode. Any changes to the disk are discarded when we power off our SEAT VM. Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM. Nothing within the shadow volumes will be changed. Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.
When you add the disk, VMware may present a box that warns of a hardware compatibility issue. If my SEAT VM was created in an earlier version, I’ll get the following warning.
If you encounter this, change your SEAT hardware compatibility as in the video. Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8). Choose Alter this virtual machine as your last step.
We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam. In Windows, we can see our target system as Volumes E:, F:, and G: Your volume letters may differ as may the number of partitions on your target.
A little exploring reveals that our target’s system partition is Volume F: While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item. Pausing the VM freezes the action. So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work. Remember, too, that the VMware Snapshot feature is your friend.
The first thing that I do is write protect the target system disk. Even though the disk is non-persistent, it can be written to during our session. It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes. To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7. In the next video, I’ll step through the process. We’ll begin at the point where I entered the Diskpart shell.
To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot. Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware. Otherwise, you simply can use the Pause feature. Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.
That’s it for now. In the next post, I’ll get down to mounting and accessing the shadow volumes. Thanks for visiting!