EnCase PDE module a...
 
Notifications
Clear all

EnCase PDE module and mounting in VMware - problems.....

9 Posts
4 Users
0 Likes
761 Views
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Has anyone had any experience of using the PDE module in EnCase?
I am aware of an issue with VMware relating to scsi devices that precede IDE devices in computer management – drive management, and this is not the issue.

My problem is that I start to boot the virtual drive in VMware and see the suspects Windows XP Home bmp screen, for a fraction of a second before I get a blue screen of death.

Andy

 
Posted : 14/01/2005 9:15 pm
mark777
(@mark777)
Posts: 101
Estimable Member
 

Hi best of luck with VM Ware

Apart from scusi you need to make sure there are no zip disks or any other external USB devices hanging of your machine as well.

I work in law enforcement and try PDE and VM on most computers I do and at the moment I have about a 30 - 35 % success rate. I haven't spoken to anybody who has a better rate than that so do not expect to get it every time.

I understand that Encase are in negotiation with Microsoft in respect of making the software compatible with the Microsoft Virtual Drive package so it mighht be worthwhile keeping an eye on the Guidance Borads for details of that.

If desperate you can always recreate the suspect drive in encase and then put that back into the suspect computer a fire it up that way

mark J

 
Posted : 16/01/2005 9:21 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

I work in law enforcement and try PDE and VM on most computers I do and at the moment I have about a 30 - 35 % success rate. I haven't spoken to anybody who has a better rate than that so do not expect to get it every time.

Your success rate is in line with what I've heard as well, I have the module, but haven't tried it yet.

 
Posted : 17/01/2005 2:07 am
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Thanks for the replies, it confrms it wasn't me doing anything wrong. I have restored images in the past and put them back in the suspects drive. But the one I am dealing with at the moment is a laptop and I don't have one big enough to restore it to. VMware would have been the easy option (if it had worked).

Andy

 
Posted : 17/01/2005 7:41 am
(@gmarshall139)
Posts: 378
Reputable Member
 

What about restoring it to an ide drive and booting it on a desktop?

 
Posted : 17/01/2005 1:46 pm
saracen
(@saracen)
Posts: 1
New Member
 

I haven't used EnCase PDE but have restored EnCase images to virtual hard drives both in VMware and Microsoft Virtual PC and tried to boot. I have got blue screens a lot with both products, but only with Windows XP restored drives. I have used the same procedure with Windows 9x and 2000 drives and they boot fine. From discussions I have had with VMware, this issue is apparently due to the way Windows XP deals with the computer hardware. VMware sell a tool called P2V which apparently "cleans up" the virtual hard drive to prevent a blue screen but I have't tried it. So I would suspect that your issue may be with the way WinXP is interacting with the virtual hardware and not with either EnCase PDE or VMware.

 
Posted : 18/01/2005 5:18 pm
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Many thanks, I'll take a look at P2V.

Andy

 
Posted : 18/01/2005 6:53 pm
mark777
(@mark777)
Posts: 101
Estimable Member
 

Andy

Try this method. I have used it for the last couple of weeks and got about an 80% success rate with it.

Create a virtual machine with XP Pro in VMware.

Edit the settings for this machine to create a second drive in it that is empty and of a size bigger than the drive you wish to image.

Boot the virtual machine and add encase to it. When you start Encase it will only be in acquisition mode. Add the Hasp drivers to the virtual machine. At this point I create a snapshot of this machine so I can revert back top this everytime.

Now you need to associate the USB device with the Encase dongle onto the virtual XP machine. When you do this your host machine will lose its full Encase capability as the dongle cannot be shared so make sure you have no Encase jobs running on the host

Next create a case file in the virtual machine, point it at the drive with the evidence files on (you will need to enable sharing of this drive/folder in the virtual machine first) and let encase create its case. After the case has been acquired and verified in the virtual machine choose the restore drive function and restore it to the empty drive you created at the start of the virtual XP pro. When the case is restored you start another virtual machine and create it for the system type that the one you have just restored is.

When asked which drive you wish to use path it to the one you have just restored on the second drive of the first virtual machine and you should find most of the time it will actually boot.. Like I said i used this method on drives that failed to boot the normal way and got an 80% success rate.

I am also going to try a different way by creating a virtual machine and loading the encase files and creating a case as above but instaed of recreating the drive I will load VmWare onto the virtual machine, mount the encase drive as an emulated drive and try to boot in VmWare inside VmWare. Willl post if it suceeds.

Hope you followed all that. It is pretty straight forward doing it but complicated writing it down.

 
Posted : 12/02/2005 11:23 pm
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Hi Mark, it sounds an interesting way of doing it and I will give it a try.

However, we purchased the EnCase module PDE because it is meant to allow you to mount the virtual drive it creates within VMWare; however it doesn't work everytime. It will not work if you have a SCSI device displayed ahead of any IDE device in disk management. This for me is a problem because my local drive (where I store my EnCase evidence files for access) is a 1TB SCSI RAID. Another problem is that if you work a way around this first major problem a second one confronts you - if for example the suspects OS is Windows XP (which most of them are), the virtual OS created detects that there are changes to its configuration, and wants to re-register with Microsoft. I have managed to get as far as this before frustration set in and I gave the idea up as too problematic for what the results are worth.

Other that being able to mount a suspect OS as a virtual drive for example anti virus/trojan checking - the EnCase PDE module appears to be (to me) a waste of money.

Andy

 
Posted : 13/02/2005 11:08 am
Share: