jess LAND
       www.jessland.net
        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > Forensics > Areas > Analysis Forensics Section Map

Analysis

Content Leader: Jess Garcia - Last Updated: May 31, 2007


Converting, Booting & Mounting disk images

EWF <-> dd Conversion

  • EWF <-> dd conversion is useful if you want to turn your EWF images (e.g. EnCase images) into dd images for analysis with tools that do not support the EWF format (remember that versions 2.0.4 and above of the Sleuthkit support the EWF format).
  • Tools
             iowrapper -i ewf -filename=EnCase_Image_File.e01 -f foo -- dd if=foo of=dd_Image_File.dd bs=64k

dd <-> VMware Conversion

  • This type of conversion is very useful if you want to boot a disk image inside a virtual machine to reproduce the original live environment.
  • Some operating systems are more friendly to this operation than others: UNIX systems will most of the times boot inside a virtual machine, and Windows systems most of the time won't due to missing hardware drivers (use the tools specified below to solve that problem).
  • Tools
  • VMware Converter
    • The Starter version only allows for Hot Conversions (i.e. convert a running machine into a VMware machine).
    • If you want dd image to VM capabilities (i.e. Cold Conversion) you need the VMware Converter Enterprise Edition.
  • DDChanger
    • DDChanger is a commercial product (pricing in the range of the $1200 - $2000 depending on the version -- prices as of March 2007)
  • LiveView
    • Even when this is a Java-based product, it is designed to run on a Windows platform.
  • EnCase Physical Disk Emulator (PDE)
    • Allows to "export" a disk image from inside EnCase making it available to the operating system as one more (emulated) physical disk.
    • EnCase PDE must be purchased as a separate additional module to EnCase (it is part of the Forensic Pro Suite). You need an EnCase product (EnCase Forensic / Law Enforcement / Enterprise) license in order to be able use EnCase PDE.
  • ProDiscover
    • ProDiscover will automatically create VMWare .vmdk files when converting images to "dd" format, allowing you to boot the "dd" image directly in VMWare.

Tips & Tricks

  • A dd image can be run by vmware, just rename it to a .iso
    Source: James Lance -- forensics@securityfocus.com mailing list

Mounting disk images in Windows

  • VMWare Images

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.