My first post described how to build a VMware VM from a single dd image. A few folks “just asked Weg” to demonstrate how to do that from E01 images. Note that it doesn’t matter whether we start with a single or segmented E01 image (or whether we use a single or split dd image). Why? Because we’re going to build a VM from a physical disk, which really is a virtual disk that was mounted from an image. With regard to E01 images, we have to create a physical disk because VMware can’t translate an E01 image as it can a dd.
I’ll mention again a tool named Virtual Forensic Computing (VFC), which can automatically build a VM from either a dd or E01 image. It, too, requires that you first mount your E01 as a physical disk. VFC’s creator, Michael Penhallurick is a brilliant fellow to whom I owe a debt of gratitude for helping me get started in virtualization. http://www.md5.uk.com/products/vfc2.
In case some of you don’t mount images very often, I’ll provide a video on the process. There are several free or cost-based tools through which you can mount an image. I’ll use AccessData’s FTK Imager, which is freely offered at http://accessdata.com/support/adownloads.
We’re going to do things in somewhat of a reverse order from where we built a VM from a dd image. The first step is to create a VM in VMware from our mounted image. After you watch the video, I’ll explain a few things.
First, note that VMware must be opened after you mount your image. When VMware is opened, it enumerates disks on the system. Unless you re-open VMware, it will not see your newly mounted disk. I’ll also point out now that your image must be mounted whenever you want to access the VM or the virtual disk. We basically created a VM as we did in my first post, and used most of the same options. We ignored the warning about the need for “expertise” when using creating a VM from a physical disk. If I were creating a VM from a “real” disk, I may be more concerned.
VMware does not allow snapshots of physical disks inherently. We have to make VMware think that the disk really isn’t a physical disk. To do so, we’ll edit the VMware configuration file, which is the VMX file that VMware created when we built our VM. That file is in the folder to which we pointed VMware when we created the VM. Below is a screenshot of the relevant portion of the VMX file, which is a text file.
We can see the highlighted line, which tells VMware that we’re using a physical disk. We’ll edit that line as follows:
We removed the string “raw,” which changed “rawDisk” to “Disk.” You also may notice that VMware created a vmdk file in the same path. Usually, we don’t need to edit this file. If you haven’t done so, either close VMware or close your new VM. Then, re-open the VMware or the VM. Navigate to VM\Snapshot:
Now, snapshots are available! Take a snapshot. If you go back to your VM’s folder, you just may see 150 snapshot files. Don’t be alarmed. VMware will split snapshots in this situation, but it has no effect on our mission. I will say that VFC has figured out a way to avoid splitting snapshots.
At this point, you can go back to my first post and see how to edit the registry and remove passwords. After mounting our disk as writable, we’ll make sure that the LSI_SCSI service Start value=0, and we’ll strip any passwords (remembering EFS issues).
We now have a bootable VM of our E01 image. It really doesn’t take any time at all to get to this point. However, we’ll approach our shadow volume exam a little differently in this case. We’ll do it from within out running VM, and I’ll go into that in my next post.