Creating a VM from E01 Images

My first post described how to build a VMware VM from a single dd image.  A few folks “just asked Weg” to demonstrate how to do that from E01 images.  Note that it doesn’t matter whether we start with a single or segmented E01 image (or whether we use a single or split dd image).  Why?  Because we’re going to build a VM from a physical disk, which really is a virtual disk that was mounted from an image.  With regard to E01 images, we have to create a physical disk because VMware can’t translate an E01 image as it can a dd.

I’ll mention again a tool named Virtual Forensic Computing (VFC), which can automatically build a VM from either a dd or E01 image.  It, too, requires that you first mount your E01 as a physical disk.  VFC’s creator, Michael Penhallurick is a brilliant fellow to whom I owe a debt of gratitude for helping me get started in virtualization.

In case some of you don’t mount images very often, I’ll provide a video on the process.  There are several free or cost-based tools through which you can mount an image.  I’ll use AccessData’s FTK Imager, which is freely offered at

We’re going to do things in somewhat of a reverse order from where we built a VM from a dd image.  The first step is to create a VM in VMware from our mounted image.  After you watch the video, I’ll explain a few things.

First, note that VMware must be opened after you mount your image. When VMware is opened, it enumerates disks on the system.  Unless you re-open VMware, it will not see your newly mounted disk.  I’ll also point out now that your image must be mounted whenever you want to access the VM or the virtual disk.  We basically created a VM as we did in my first post, and used most of the same options.  We ignored the warning about the need for “expertise” when using creating a VM from a physical disk.  If I were creating a VM from a “real” disk, I may be more concerned.

VMware does not allow snapshots of physical disks inherently.  We have to make VMware think that the disk really isn’t a physical disk.  To do so, we’ll edit the VMware configuration file, which is the VMX file that VMware created when we built our VM.  That file is in the folder to which we pointed VMware when we created the VM.  Below is a screenshot of the relevant portion of the VMX file, which is a text file.

We can see the highlighted line, which tells VMware that we’re using a physical disk.  We’ll edit that line as follows:

We removed the string “raw,” which changed “rawDisk” to “Disk.”  You also may notice that VMware created a vmdk file in the same path.  Usually, we don’t need to edit this file.  If you haven’t done so, either close VMware or close your new VM.  Then, re-open the VMware or the VM.  Navigate to VM\Snapshot:

Now, snapshots are available!  Take a snapshot.  If you go back to your VM’s folder, you just may see 150 snapshot files.  Don’t be alarmed.  VMware will split snapshots in this situation, but it has no effect on our mission.  I will say that VFC has figured out a way to avoid splitting snapshots.

At this point, you can go back to my first post  and see how to edit the registry and remove passwords.  After mounting our disk as writable, we’ll make sure that the LSI_SCSI service Start value=0, and we’ll strip any passwords (remembering EFS issues).

We now have a bootable VM of our E01 image.  It really doesn’t take any time at all to get to this point.  However, we’ll approach our shadow volume exam a little differently in this case.  We’ll do it from within out running VM, and I’ll go into that in my next post.


  1. Jacob says:

    Hi Jim,
    I have some issues with this process using a Windows 8.1 machine. Do you have any advice on how to go about this? When I boot the system I get “Missing OS” However I know it has one.

    • jimmyweg says:

      My guess is that you have the wrong drive number assigned to the VM. Start over and go through the steps once again. If the system has a valid OS, and is not encrypted, it has to boot.

  2. Ron Messa says:

    Jimmy: I may need to do a virtual machine from EO1 files. Does this process still work?

  3. KG says:

    I’m trying to create a virtual machine from an E01 but I can’t find the VMX text file you mention above.

    • jimmyweg says:

      The vmx file is in the folder that you select to contain your vm. After you mount the E01 and create a vm from a physical disk, the vmx will be in the folder you chose.

  4. Patrick says:

    Let me first echo the compliments of the others, this blog and your contributions to the IACIS list are extremely valuable.

    I’m am trying to create a Win 7 VM from an e01 with Workstation 12 Pro. I’ve run through the opening steps probably a dozen times, creating VM, editing vmx, taking snapshot with no issues. However, I receive the error message “Error reading volume information. Please select another disk file” when I go to map the virtual drive for the registry editing. I’ve confirmed that I am running VMware as admin, and have checked permissions on the files.

    Didn’t know if you had any thoughts or suggestions before I converted the e01s to a dd image.

    Thank you, Patrick

    • jimmyweg says:

      Thanks, Patrick. That’s because it really is a “physical” disk. Make you life easy: mount it “writable” with FTKI or Arsenal Image Mounter and do your edits outside of VMware. Then create the VM.

  5. iso says:

    Hey Jimmy, Nice to see such great blog.

    I have a disc its encrpted by pointsec, I can boot the disk on Vmware and see the its OS but its corrupt due to wrong hardware. How can I pass the encrypted area of disk, its loading 500KB data while booting.



    • jimmyweg says:

      Thanks for the kind words. In the past, when I booted a Pointsec image file, I went right to the password entry. From there, I could decrypt the disk with the password. I’m not aware of whether Pointsec can be hardware specific, like with a TPM chip, but you should research that question. I also would try a dd image, just to see whether it makes a difference.

      • iso says:

        I have a ready system , ı could see the boot of the windows xp but due to hw difference, It didnt boot… now i applied the steps you did but i do a mistake on a point. 🙁

        • jimmyweg says:

          It’s hard for me to troubleshoot this, but with XP, you probably need to do a system repair from an install disc of the same version.

          • iso says:

            thanks for you answer, to repair it ..unfortunately i can not do it because its running on Vmware, becausethe laptop is disposed long time ago. if i am able to see the screen of windows xp, does it mean that can I recovery the files into it but ” its a pointsec installed disk”


            if i try re-encrypt it with pointsec on a laptop as USB connected, do I have probably to enrypt two times and then I can use the recovery key,

            due to i don’t have the laptop now i can not open the OS of it.


            if i find the same hardware dell d420, in your opinion, will it work?

          • jimmyweg says:

            To be honest, I really don’t know. If the the VM is decrypted and you can start XP, a repair may work. Just a guess.

  6. Michael says:

    Hi there,

    is it also possible to mount and run a safeguard easy encrypted EO1 Image file?

    Michael Doe

    • Michael says:

      after I type in the sg easy username and pwd I receive the error message: “Loading operating system… Error loading operating system” – using SG Easy 4.50.3

      • jimmyweg says:

        I haven’t tried Safeguard, but if you can boot the image, it should work. The issue may be E01 because you have to mount an E01, and you are mounting an encrypted “disk” that has no file system. You may want to try converting the E01 to dd. I’ve booted PointSec disks before, but I used a dd.

        • Michael says:

          Jimmy, thanks for the fast reply.

          Initially, the acquisition of the physical disk encrypted with Safeguard Easy was conducted with a Tabelau TD2 – dead acquisition. The plan was to decrypt the image via Encase; unfortunately, it did not work. However, encase accepted the user credentials but the displayed partition C was still gibberish.
          Furthermore, I have tried the x86 version with same results.
          Next, I wanted to verify, that encase is not buggy and tried to start the image in a virtual env.
          First, I created a VMware Virtual Machine from a EWF File. I was able to boot the VM and successfully authenticated to SGE but the OS could not be loaded. In addition, I deliberately and successfully initiated false logins to verify the functionality of SGE.
          Second, I converted the EWF image to a segmented raw image. I tweaked and adjusted the extend description of the vmdk accordingly by looking up/calculating the size of the first and last image segment/sector size.
          Finally, the result was the same. I can boot and authenticate with SGE but can’t load the OS.
          In conclusion, either the SGE Kernel or the MBR might be corrupted which sucks since I cant get to the data to conduct forensic analysis.

          Do you think it is possible to repair the SGE Kernel of the VM by starting the SG emergency Disk; however, It’s probably easier to fix the physical disk.

          Anyways, please let me know if you have another joker or recommendation. Your tutorial is great and helped me tremendously – Thank you. If I have more time I will do a PoC with SGE encrypted disk – I’ll let you know.


          • jimmyweg says:

            Thanks, Michael. I need to play around with a few of these WDE tools. I’m kind of clueless with respect to your dilemma, though your thought about the emergency disk makes sense and can’t hurt. I guess the ultimate test would be to clone the drive to a like make/model and see if your clone works in the original box. If it does, then I’d guess that there’s board/chip mating involved.

          • Michael says:


            Finally, I had a breakthrough. I was able to boot the encrypted VM with a SGE emergency Disk. Then, I was able to decrypt and save it to a vmdk which in return can be opened with FTK. Next, I will extract the partition and convert it to a raw format again in order to analyze it with my SIFT workstation.

            In summary, the original encrypted evidence disk was imaged. The image was used to create a VM; then, the vmdk was decrypted and can now be forensically examined.

            All activities can be reproduced, and the integrity of the original evidence disk has not been tampered.

            I will write a paper/guide about it.

            By the way, I have sent you a linked in request.


          • jimmyweg says:

            Great! I’m glad that it worked. As I mentioned, I’ve worked with PointSec drives before and they worked fine in VMware. I decrypted the physical drive, took a snapshot, and then imaged the drive. Once you decrypt it, a physical image will work. I don’t think I received the LinkedIn request.

  7. Grégoire M says:

    hey! Great tutoriel, it help me a lot!
    I’m not the best with VMware, I don’t understand everything but I got a problem.

    My image file is store on my external hard drive, I mounted her with AccessData FTK. Then, I create a new VM with VMware Server and with the last step,on “Use a physical disk”, when you need to choose which device to use, I can’t choose the good PhysicalDrive. I got only PhysicalDrive0 and I don’t know how to do.

    If you can help me a little, it will be great! 🙂

    Grégoire Meurillon

    • jimmyweg says:

      Hi, Grégoire. If FTKI mounts your image as a physical disk, it should appear in VMware. First mount the image and then open VMware. If VMware is open when you mount the image, it will not see it until you refresh. I think there’s a refresh option somewhere, but I can’t recall at the moment.

      • Grégoire M says:

        Hmmm… I just tried but the problem is still here, I can’t see the good PhysicalDrive :s

        By the way, I don’t find the refresh option in VMware but I’m gonna looking for!

        Thank you!

        Gregoire Meurillon

        • jimmyweg says:

          Are you running VMware as Admin? If the disk is mounted, it has to show up in VMware. I haven’t tried VMware Server, but I wouldn’t think it matters.

          • Grégoire M says:

            I don’t use VMware as admin, I’ll try it soon!

            I need the administrator password and my boss is not here.

            Thanks for everything!

            Grégoire Meurillon

          • jimmyweg says:

            Thanks, Grégoire. You need to be an admin to access a physical disk. Hope it works.

          • Grégoire M says:

            Well, I cannot test yesterday but I think your right and it’s just because of admin 🙂

            Thank you very much for your time!

            Grégoire Meurillon

  8. Matt says:

    Jimmy, I took your advice, and decided to delve into VMs. I am using VM Workstation 10 on a Win7 Ultimate machine. I am trying to get an E01 of a Win8.1 machine up and running. I mounted in FTK Imager, both Physical and Logical. Went through the preliminary steps with creating the VM, modified the VMX file, took snapshots and moved on to RegEdit. I loaded the System hive from the logical mount of the image and dived down to try to find LSI_SCSI and it was not there? _SAS, _SAS2, _SAS3 and _SSS were there. I feel as though I am missing something really simple….any suggestions?

    • jimmyweg says:

      When you crate your VM, choose the SAS option instead of SCSI. Then, set the LSI_SAS driver to 0x01 in the registry. I think you’ll be okay with _SAS only, and not the others. let me know.

      • Matt says:

        I created a new VM, using the changes above. For SCSI Controller, I selected LSI Logic SAS and for disk type, I selected SCSI. (Should I have selected SATA?) I changed _SAS to 1, stripped the password and started it up to find that it advises..”Operating System not found”

        I changed the vmx to represent device type = “disk”. Should I have modified something else? Thank you for your patience.

        • Matt says:

          Sorry for the flurry of questions….I was able to get a VM working off of another image, so I at least feel like I am doing it right. Could it have something to do with the fact this image has 7 partitions? It has the following partitions NTFS-Recovery,NTFS-OS, NTFS-Samsung_REC2, FAT32-Recovery,FAT32-EFI System, Microsoft reserved partition and a NTFS-NONAME that appears to be recovery related.

          • jimmyweg says:

            Hi, Matt. This is a Win 8 system, I presume, and it’s UEFI. In your vmx, add the line, firmware = “efi” exactly as shown.

  9. Matthew says:


    First I would like to say thank you for taking the time to put this together.

    I am using FTK imager to mount my E01 as you instructed in the video and I am using VMware Workstation v10.

    I follow your instructions all the way through until it comes time to choose which physical drive to create my VM from. I have 7 physical disks in my machine and Disk 7 is the only one that populates the drop-down menu. This happens to be a dongle for IEF.

    I can’t see the E01 that I have mounted which I know is disk 8. Any suggestions would be greatly appreciated.


  10. Nick says:

    Hi Jimmy, thanks for this. I’m trying to do the same thing but using VMWare Fusion on a Mac. I’ve mounted the E01 as a standard volume using ewfmount and hdiutil, but VMWare Fusion doesn’t seem to give me the option of selecting the volume as a disk to add, and I don’t know enough about the vmx format to know what to edit. Any ideas?

    • jimmyweg says:

      Hi, Nick. I really don’t do anything on Macs, though I did have a brief play with Fusion on one. I believe that the VMware config files are interchangeable between Windows and Mac. Is the target E01 a Windows system? If so, and you have access to a Windows system (perhaps on you Mac with Parallels or the like), you could create the VM on Windows and bring it over to your Mac. With E01, you have to create the VM from a physical disk. My guess is that you have to mount the E01 as a physical disk in your Mac and select it as the base of your VM. The vmx should be the same, in that you would remove the “raw” per my post. If Fusion doesn’t provide that option, I guess you always can convert the E01 to a dd. I can build Mac VMs in VMware in Windows, but there’s some debate as to whether there’s a licensing issue with that approach.

  11. Alan says:

    I followed the steps exactly as described but my Win7 64-bit VM blue-screens when booted. It has been my experience that other registry changes are necessary to get the VM to boot successfully.

    Since this disk has a 100MB boot partition, do I need to mess with the BCD?

    • jimmyweg says:

      First, I assume that you have an E01 of a physical disk and that you mounted the the image as a physical disk. If so, you need not be concerned with the boot partition. There are no registry edits required, other than the one that I described. With a mounted image, you just create a VM from you mounted physical disk, use the SCSI disk option, edit the vmx to allow snapshots, take a snapshot, map the volume as writable, and edit the registry to set the LSI SCSI driver Start value to 0x00. Note that VMware 10 requires a different procedure, which I described in a later post. Should work every time, unless the underlying system has issues.

  12. JL says:

    I have followed your procedures (albeit with v9 workstation). I keep getting “The physical disk is already in use” error. In the logs, I see it trying to create a file & failing. Any idea how to work around this?

    DISKLIB-LINK : Opened ‘C:\Users\me\Documents\Virtual Machines\xxx\xxx-000001.vmdk’ (0x8): twoGbMaxExtentSparse, 81715199 sectors / 39.0 GB.
    DISKLIB-LIB : Opened “C:\Users\me\Documents\Virtual Machines\xxx\xxx-000001.vmdk” (flags 0x8, type twoGbMaxExtentSparse).
    W32Util_DismountVolumes: Locking and dismounting volumes backed by a particular disk area (offset 0 size 41838181888) on PhysicalDrive3…
    W32Util_DismountVolumes: CreateFileW1 failed on volume \\?\Volume{6fe89818-1aba-11e3-bf63-00025b00a5a5}: 2
    W32Util_CloseDismountHandle: Unlocking and closing handles for 0 volumes on PhysicalDrive3…
    DISKLIB-FLAT : Open: Failed to dismount physical drive 3. Perhaps its volumes have open files on them?
    DISKLIB-FLAT : “\\.\PhysicalDrive3” : failed to open (73): .

    • jimmyweg says:

      This usually resolves after you reboot your host system. Make sure that you snapshot your mounted image after you create the VM and mount the disk.

      • JL says:

        It seems this happens if you have explorer open during the process. Very strange – no Explorer – no problem…

        • jimmyweg says:

          I don’t think that Explorer is the cause. I do know that it presents if something has a hook to the disk. Also, the more mounting/unmounting that you do, the more likely it becomes that VMware gets confused. If it were a real disk, we could try to remove the drive letter as a possible fix, but with an E01, we usually just mount it as physical.

  13. Tom says:

    Jimmy, Is threre any way boot from e01 partition image not a physical disk image

    • jimmyweg says:

      I did this once or twice a few years ago, but I believe that I “built” a MBR/partition table and added it to my image. For example, your physical pc won’t boot if you edit the disk and delete Sectors 0-63/x. For one, you need an active partition designated in the PT. I’ll see if I can find some notes on this.

      • Tom says:

        Thank jimmy,I also want to add a mbr to e01 image,But i don’t know how to do this and the e01 file not been broken

        • jimmyweg says:

          I’ve never done that, but I imagine that you’d have to mount the E01 as a volume and make it writable. Maybe it would work with FTKI’s write caching or by adding it to a VM and taking a snapshot. It may just be easier to create a dd from the E01.

  14. waterch1ck says:

    jimmy,if disk is encrypted, it can not be mounted.we cannot edit the regdit to fix the LSI SCSI value.what can we do then??

    • jimmyweg says:

      With respect to any encrypted disk, you have to decrypt it to do any sort of exam, if I understand your question correctly. Perhaps you know the password and want to boot to the decryption/login screen. If so, and depending on the encryption scheme, you may get that far without editing the registry. Then, choose to decrypt the physical disk. I’ve done that with PointSec. I guess I need more info on what kind of encryption is in place, and how you intend to examine the volume, aside from booting the image in VMware.

  15. Randomaccess says:

    I’m so close to getting this working. I’ve got an e01 of a vista x64 system that turns on to show the windows recovery screen, then blue screens and loops back.
    At a complete loss as to how I can fix it although I imagine it has something to do with the image containing two partitions (40mb Dell partition and 300gb windows partition)
    Has anyone else had this problem?

    • jimmyweg says:

      The second (Dell) partition has nothing to do with the issue you face. The first thing to check is your VMNware and registry setups. Did you choose the LSI SCSI disk and did you edit the registry to force the Start at boot (0x00)? It is, however, possible that you have a system that is corrupt and unable to boot, and nothng is going to fix that. You also could try a repair with a Vista install disk.

  16. Dana McNeil says:

    I am trying to do something a little different. I have an image of an external drive with executables that I want to run from within the vm. I created a EO1 of the drive and then mounted it using FTK imager. In VM9 I configured the VM to use the physical disk, and edited the vmx file to change “rawdisk” to “Disk”. This did enable the ability to take a snapshot, but when I power on the VM it says the .vmdk “or one of the snapshot disks it depends on” is already in use.

    There is nothing using the drive, it’s files, or the .vmdk. Any thoughts?

    • jimmyweg says:

      First, I’ll assume that the execuables are self contained programs that did not require installations, e.g., complete with registry settings, dependent DLLs, etc.. This error can present when you select the wrong file from which to run your VM. When you try to open the virtual machine file, select the vmx and not the vmdk that VMware produced when you built your VM. This is a VM built from a physical disk. I also have to wonder about why you’re trying to boot an external (image) drive, but I’ll presume that it contains an OS. Otherwise, there is nothing to boot in VMware. If there is no OS, you could just as easily mount the image in your host and run the exe. As you used an E01, you can’t add a virtual disk to a SEAT workstation or the like, because you have a physical disk. If this doesn’t make sense, take one Bozone Porter and call me in the morning (you have my number).

    • Cory J. Pritchard says:

      I am facing the same issue. Using the method described in this posting I get the message “The Physical Disk is already in use.” I converted the E01 image to a dd image and followed the instructions in your first posting regarding turning images into VMs, and it worked perfectly. How do you resolve that problem. Also, I am curious about the registry setting for and XP image, there is no LS_SCSI key. What do you need to do differently in that case.

      • jimmyweg says:

        Cory, did you take a snapshot of the mounted E01? You can’t use the disk without one. We don’t use SCSI disks/drivers in XP. Use the default disk type and note that you’ll probably have to do a Repair with an XP install disc of the same flavor to fix a BSOD.

        • Cory J. Pritchard says:

          I did create a snapshot, both before and after the registry changes. So when I look under Edit Virtual Machine Settings, for Hard Disk (SCSI) what file should be in the Disk File text box? One of the snapshots or the original VMDK

          • jimmyweg says:

            The current snapshot, e.g., Windows 7×64-VM9-000003.vmdk. Not the original, which remains RO.

  17. Jimmy,
    You’ve just made a wonderful work and very useful for all of us. It’s really precise. The E01 files are rarely so well explained. You’ve solved a lot of problems i used to have for years… I use VFC2 but sometime it hangs or the workstation does not start. As Robert i use E01 files almost all the times.

  18. CAG says:

    When using FTK to mount an E01 file (Encase 7.04), how do you handle when the image is E01 through E42? We are trying to see the entire disk image in VMWare?

    • jimmyweg says:

      I would mount the image as a physical disk and proceed as in my post on using VMware to virtualize E01 image files. I don’t see why the number of segments matters, insofar as mounting is concerned. I hope to go into segmented DD images in my next post. Examining the SVs in any mounted image is a different process, which I’ll also describe.

  19. Ovie says:

    Absolutely wonderful job with this. The step by step method you showed was flawless and make it so anyone can follow right along. Thank you for taking the time to put this together and share it with the community.

  20. Harvey Rothenberg says:

    How have you found vfc2 handling of the NEW Encase file format of Ex01. The author jbmetz the developer of the libewf toolkit, had indicated that there has not been full disclosure for this new format for developers to incorporate into their development cycles.

    Does your product support the use of this newly created file format for this new version of Encase or does it still depend upon the E01 formatting ?

    Sincerely, Harvey

    • jimmyweg says:

      I haven’t tried VFC2 in that regard, but neither VFC2 nor my method really cares about the image format. Every image format will work, if it can be mounted as a physical disk. Both VFC2 and my method work with mounted images. Both approaches work directly with dd or other raw formats without the need to mount the image as a disk. In my own lab, I always use dd images, but that’s my preference.

  21. Robert Pearson says:

    Great tutorial….Because of my habit of using E01 files exclusively I often run into issues attempting to create a VM,most ending in me giving up. This tutorial is just what the doctor ordered …
    Thanks for you time in this….


Leave a Reply

Your email address will not be published. Required fields are marked *