Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: WaRr3NK4uF
New Today: 3
New Yesterday: 1
Overall: 29419

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
53061786
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - imaging a virtual machine
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

imaging a virtual machine

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
mikhl
Newbie
Newbie


Joined: Aug 17, 2011
Posts: 10
Location: NE England

PostPosted: Sat Nov 19, 2011 1:20 am    Post subject: imaging a virtual machine Reply with quote

Hi,

This is for a little course project that I decided to undertake.

I need to image a virtual machine so that I can forensically examine it in Encase.

I am using VMware to create and use my virtual machines. And so far I have been able to look at the live .vmdk (virtual machine disk) in FTK imager. However, when I create an E01 image of the file, the image creates but does not show the content of the disk when viewed in FTK or Encase.

So far my process has been: open the .vmdk in FTK and click File > Export disk image.

I have also attempted to (without the .vmdk file opened in FTK) click File > Create disk image > Image File and point to the .vmdk file.

Either way I still have the same problem. Any guidance or help on how to image a Virtual machine would be great.

Thanks
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Nov 19, 2011 11:23 am    Post subject: Reply with quote

Have you read the following?
w w w .forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf
Back to top
View user's profile
mikhl
Newbie
Newbie


Joined: Aug 17, 2011
Posts: 10
Location: NE England

PostPosted: Sat Nov 19, 2011 12:12 pm    Post subject: Reply with quote

I have. I have followed what has been said in this article with the results as previously stated.

I'm not saying I'm going to give up. I am creating a number of VM's to take to the lab on Monday, or maybe even Sunday :s I may be missing something, and I want to make sure that I am getting it right.

Thanks for the reply
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Nov 20, 2011 5:58 am    Post subject: Reply with quote

I just found the following which states that EnCase can directly analyze VMDK files (page 5).

h t t p s ://docs.google.com/viewer?url=http%3A%2F%2Fwww.mediarecovery.pl%2Fdoc%2Fencase-forensic%2FDetailed_Product_Description.pdf
Back to top
View user's profile
mikhl
Newbie
Newbie


Joined: Aug 17, 2011
Posts: 10
Location: NE England

PostPosted: Sun Nov 20, 2011 1:15 pm    Post subject: Reply with quote

Thanks PreferredUser. ill have a look tomorrow to see if i can get this to work... well later today when i awaken.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 239

PostPosted: Sun Nov 20, 2011 10:17 pm    Post subject: Re: imaging a virtual machine Reply with quote

mikhl wrote:

So far my process has been: open the .vmdk in FTK and click File > Export disk image.


FTK ... full version or FTK Imager? Latest version -- there's a note about preview problems when IE9 is installed?
Back to top
View user's profile
heroinez
Newbie
Newbie


Joined: Apr 27, 2012
Posts: 4

PostPosted: Wed May 09, 2012 1:18 pm    Post subject: jaournal Reply with quote

sorry, can someone here help me to find a good literature, or journal that discuss virtual machine forensic?
because I've been looking for it through google, but I can't find the relevant topic with my task...
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed May 09, 2012 2:47 pm    Post subject: Re: jaournal Reply with quote

heroinez wrote:
sorry, can someone here help me to find a good literature, or journal that discuss virtual machine forensic?
because I've been looking for it through google, but I can't find the relevant topic with my task...


Really? If you cannot find any relevant material you should change majors now. http : / / bit . ly / KLgRfC
Back to top
View user's profile
janeleonard
Newbie
Newbie


Joined: Oct 03, 2014
Posts: 5

PostPosted: Fri Oct 03, 2014 7:21 pm    Post subject: Reply with quote

It does depends on your system and its OS configuration. If it is not the case then look for the right guidelines to do so.
Back to top
View user's profile Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.