±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 7 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Loading E01 files in VMWare Player

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

sovietpecker
Member
 

Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 19:10

Hello guys,

I would love to mount a copy of a forensically acquired E01 file into VMWare Player. I know Forensic Explorer with Mount Image Pro has a great solution that works well with VMWare Player, but i want to know if i need Forensic Explorer to do that.

So what i have is an E01 image file, which is split into several files because i chose that option when creating the image. Also, I have VMWare Player installed.

Could someone tell me what process to follow or if there are any online resources i could follow to achieve this.

Thanks.  
 
  

jaclaz
Senior Member
 

Re: Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 19:47

- sovietpecker

I would love to mount a copy of a forensically acquired E01 file into VMWare Player.

Mount or boot from? Shocked

And if mount at which level?

There is an IMDISK proxy for EWF images:
reboot.pro/topic/19940...or-imdisk/

And OFSMOUNT (which is a derivative of IMDISK) has EWF/.E01 compatibility:
www.osforensics.com/to...mages.html
but as you might know IMDISK only exposes the volume, not the disk.

There have been some talking about having the same functionalities in Arsenal Image Mounter (which is a "whole disk" driver):
reboot.pro/topic/19725...k-from-ewf
cannot say if in the meantime the feature has been fully debugged and added to the release, you'll have to check.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

sovietpecker
Member
 

Re: Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 20:51

- jaclaz
- sovietpecker

I would love to mount a copy of a forensically acquired E01 file into VMWare Player.

Mount or boot from? Shocked

And if mount at which level?

There is an IMDISK proxy for EWF images:
reboot.pro/topic/19940...or-imdisk/

And OFSMOUNT (which is a derivative of IMDISK) has EWF/.E01 compatibility:
www.osforensics.com/to...mages.html
but as you might know IMDISK only exposes the volume, not the disk.

There have been some talking about having the same functionalities in Arsenal Image Mounter (which is a "whole disk" driver):
reboot.pro/topic/19725...k-from-ewf
cannot say if in the meantime the feature has been fully debugged and added to the release, you'll have to check.

jaclaz


Thanks for the reply jaclaz,

I actually want to boot from it not just mount it. Sorry for the confusion.  
 
  

jaclaz
Senior Member
 

Re: Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 21:29

- sovietpecker


I actually want to boot from it not just mount it. Sorry for the confusion.


Well technically it is simply not possible. Shocked

The EWF is (should be) a Read Only format, the whole point being that it is (should be) evidence.

When you boot from a disk image (particularly a Windows OS, which is likely the case even if you didn't mention it) there are a huge number of changes to the filesystem and Registry needed as drivers will need to be adapted from the original "real machine" ones to the ones needed for the Virtual Machine, and BTW this process is not usually as easy as you seem to believe it to be.

Nothing however prevents you from converting the EWF to a RAW image and then "convert" this latter into a VMDK, VmWare player uses/can use a VMDK format that consists in a plain RAW image + an external descriptor file which is very easy to create, there are several suitable tools, but it is easy to create also manually or script.

As well (but I cannot say if it applies specifically to VMware, and particularly to VMPlayer), many VM's can use a \\.\PhysicalDrive, so another easy way is to restore the EWF image to a disk and just connect the disk to the VM.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

sovietpecker
Member
 

Re: Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 21:36

- jaclaz
- sovietpecker


I actually want to boot from it not just mount it. Sorry for the confusion.


Well technically it is simply not possible. Shocked

The EWF is (should be) a Read Only format, the whole point being that it is (should be) evidence.

When you boot from a disk image (particularly a Windows OS, which is likely the case even if you didn't mention it) there are a huge number of changes to the filesystem and Registry needed as drivers will need to be adapted from the original "real machine" ones to the ones needed for the Virtual Machine, and BTW this process is not usually as easy as you seem to believe it to be.

Nothing however prevents you from converting the EWF to a RAW image and then "convert" this latter into a VMDK, VmWare player uses/can use a VMDK format that consists in a plain RAW image + an external descriptor file which is very easy to create, there are several suitable tools, but it is easy to create also manually or script.

As well (but I cannot say if it applies specifically to VMware, and particularly to VMPlayer), many VM's can use a \\.\PhysicalDrive, so another easy way is to restore the EWF image to a disk and just connect the disk to the VM.

jaclaz


I do not think that the fact that the EWF is read only is an issue. All ISO files are read only. I mean if i create a linux ISO or take a linux ISO and create a bootable VM from it , it would not alter the original ISO file.

The example you gave with the restoration to disk seems similar of how the Forensic Explorer does it. www.forensicexplorer.c...e-boot.php  
 
  

jaclaz
Senior Member
 

Re: Loading E01 files in VMWare Player

Post Posted: Jul 06, 17 22:27

- sovietpecker

I do not think that the fact that the EWF is read only is an issue. All ISO files are read only. I mean if i create a linux ISO or take a linux ISO and create a bootable VM from it , it would not alter the original ISO file.


And - surprisingly enough - Windows based PE's can as well boot off .iso's just fine.

Windows installs cannot (and won't)[1].

But of course you are welcome to try.

jaclaz

[1] It is possible, for special builds, involving a RAMdisk to boot even a "full" Windows from a read only media, but it is not your case.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1