My first post described how to build a VMware VM from a single dd image. A few folks “just asked Weg” to demonstrate how to do that from E01 images. Note that it doesn’t matter whether we start with a single or segmented E01 image (or whether we use a single or split dd image). Why? Because we’re going to build a VM from a physical disk, which really is a virtual disk that was mounted from an image. With regard to E01 images, we have to create a physical disk because VMware can’t translate an E01 image as it can a dd.
I’ll mention again a tool named Virtual Forensic Computing (VFC), which can automatically build a VM from either a dd or E01 image. It, too, requires that you first mount your E01 as a physical disk. VFC’s creator, Michael Penhallurick is a brilliant fellow to whom I owe a debt of gratitude for helping me get started in virtualization. http://www.md5.uk.com/products/vfc2.
In case some of you don’t mount images very often, I’ll provide a video on the process. There are several free or cost-based tools through which you can mount an image. I’ll use AccessData’s FTK Imager, which is freely offered at http://accessdata.com/support/adownloads.
We’re going to do things in somewhat of a reverse order from where we built a VM from a dd image. The first step is to create a VM in VMware from our mounted image. After you watch the video, I’ll explain a few things.
First, note that VMware must be opened after you mount your image. When VMware is opened, it enumerates disks on the system. Unless you re-open VMware, it will not see your newly mounted disk. I’ll also point out now that your image must be mounted whenever you want to access the VM or the virtual disk. We basically created a VM as we did in my first post, and used most of the same options. We ignored the warning about the need for “expertise” when using creating a VM from a physical disk. If I were creating a VM from a “real” disk, I may be more concerned.
VMware does not allow snapshots of physical disks inherently. We have to make VMware think that the disk really isn’t a physical disk. To do so, we’ll edit the VMware configuration file, which is the VMX file that VMware created when we built our VM. That file is in the folder to which we pointed VMware when we created the VM. Below is a screenshot of the relevant portion of the VMX file, which is a text file.
We can see the highlighted line, which tells VMware that we’re using a physical disk. We’ll edit that line as follows:
We removed the string “raw,” which changed “rawDisk” to “Disk.” You also may notice that VMware created a vmdk file in the same path. Usually, we don’t need to edit this file. If you haven’t done so, either close VMware or close your new VM. Then, re-open the VMware or the VM. Navigate to VM\Snapshot:
Now, snapshots are available! Take a snapshot. If you go back to your VM’s folder, you just may see 150 snapshot files. Don’t be alarmed. VMware will split snapshots in this situation, but it has no effect on our mission. I will say that VFC has figured out a way to avoid splitting snapshots.
At this point, you can go back to my first post and see how to edit the registry and remove passwords. After mounting our disk as writable, we’ll make sure that the LSI_SCSI service Start value=0, and we’ll strip any passwords (remembering EFS issues).
We now have a bootable VM of our E01 image. It really doesn’t take any time at all to get to this point. However, we’ll approach our shadow volume exam a little differently in this case. We’ll do it from within out running VM, and I’ll go into that in my next post.
I’m so close to getting this working. I’ve got an e01 of a vista x64 system that turns on to show the windows recovery screen, then blue screens and loops back.
At a complete loss as to how I can fix it although I imagine it has something to do with the image containing two partitions (40mb Dell partition and 300gb windows partition)
Has anyone else had this problem?
The second (Dell) partition has nothing to do with the issue you face. The first thing to check is your VMNware and registry setups. Did you choose the LSI SCSI disk and did you edit the registry to force the Start at boot (0×00)? It is, however, possible that you have a system that is corrupt and unable to boot, and nothng is going to fix that. You also could try a repair with a Vista install disk.
Y it was the editing registry part. Followed the video you posted on an earlier blog.
Amazing. Thanks for help, definitely a life saver
Yes*
I’m glad that I could help!
I am trying to do something a little different. I have an image of an external drive with executables that I want to run from within the vm. I created a EO1 of the drive and then mounted it using FTK imager. In VM9 I configured the VM to use the physical disk, and edited the vmx file to change “rawdisk” to “Disk”. This did enable the ability to take a snapshot, but when I power on the VM it says the .vmdk “or one of the snapshot disks it depends on” is already in use.
There is nothing using the drive, it’s files, or the .vmdk. Any thoughts?
First, I’ll assume that the execuables are self contained programs that did not require installations, e.g., complete with registry settings, dependent DLLs, etc.. This error can present when you select the wrong file from which to run your VM. When you try to open the virtual machine file, select the vmx and not the vmdk that VMware produced when you built your VM. This is a VM built from a physical disk. I also have to wonder about why you’re trying to boot an external (image) drive, but I’ll presume that it contains an OS. Otherwise, there is nothing to boot in VMware. If there is no OS, you could just as easily mount the image in your host and run the exe. As you used an E01, you can’t add a virtual disk to a SEAT workstation or the like, because you have a physical disk. If this doesn’t make sense, take one Bozone Porter and call me in the morning (you have my number).
Jimmy,
You’ve just made a wonderful work and very useful for all of us. It’s really precise. The E01 files are rarely so well explained. You’ve solved a lot of problems i used to have for years… I use VFC2 but sometime it hangs or the workstation does not start. As Robert i use E01 files almost all the times.
Merci, Jean-Philippe. I’m glad that you found it useful.
When using FTK to mount an E01 file (Encase 7.04), how do you handle when the image is E01 through E42? We are trying to see the entire disk image in VMWare?
I would mount the image as a physical disk and proceed as in my post on using VMware to virtualize E01 image files. I don’t see why the number of segments matters, insofar as mounting is concerned. I hope to go into segmented DD images in my next post. Examining the SVs in any mounted image is a different process, which I’ll also describe.
Absolutely wonderful job with this. The step by step method you showed was flawless and make it so anyone can follow right along. Thank you for taking the time to put this together and share it with the community.
Thanks, Ovie. Considering how much you have contributed to our community, I am honored by your comment.
How have you found vfc2 handling of the NEW Encase file format of Ex01. The author jbmetz the developer of the libewf toolkit, had indicated that there has not been full disclosure for this new format for developers to incorporate into their development cycles.
Does your product support the use of this newly created file format for this new version of Encase or does it still depend upon the E01 formatting ?
Sincerely, Harvey
I haven’t tried VFC2 in that regard, but neither VFC2 nor my method really cares about the image format. Every image format will work, if it can be mounted as a physical disk. Both VFC2 and my method work with mounted images. Both approaches work directly with dd or other raw formats without the need to mount the image as a disk. In my own lab, I always use dd images, but that’s my preference.
Great tutorial….Because of my habit of using E01 files exclusively I often run into issues attempting to create a VM,most ending in me giving up. This tutorial is just what the doctor ordered …
Thanks for you time in this….
Rob
Thanks, Rob. I hope this helps. Please post any questions/problems.