Brett's Blog

Just some ramblings.
Jimmy Weg has not set their biography yet

Workarounds to Workarounds (and some hints & reminders)

Every now and then, I get email from readers who have difficulties, and some areas come up more often.  I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests.  Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.

1. Building and booting EUFI/GPT systems and remembering the registry edit 

A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8.  Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows.  If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old.  There’s a sample screenshot in the above post.  Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:

GPT Disk

X-Ways Forensics users will receive the answer to the clue without having to guess.  The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system.  The FAT32 partition likely holds your EFI boot data:

EFI

The first reminder is that we usually must edit the registry and at least one user’s password to boot into Windows 8.  Since the beginning of my blog, I described how to build your VM by selecting the option for a SCSI disk in VMware.

scsi

That option required an edit to the registry to enable the LSI SCSI service to start on boot:LSI SCSI

After mounting our VM, we loaded the target’s System hive into our own registry.  We navigated to the proper control set’s Services key and then to the LSI_SCSI subkey.  There, we edited the Start value’s data to 0x00, as above.

Well, what happens if you find a System hive that looks like this: SAS

As you can see, there is no LSI_SCSI key.  If you find this to be the case, you have a couple of choices.  You can start over and select the LSI Logic SAS option as in the Virtual Machine Wizard screenshot above that displays the controller types.  Then, edit the registry by setting the first LSI_SAS controller’s Start value data to 0x00.  A quicker alternative is  to edit the mounted registry hive and your VMX file by replacing the highlighted line the next screenshot with the one that follows.  Of course, if you examine the target registry in your forensic tools you can determine the configuration before you even consider building a VM.

scsi vmx

Replace the above parameter with this one:

SAS vmx

Please don’t forget to insert the firmware = “efi” parameter that I described in earlier posts!  If you edit the VMX and your VM hangs, reboot into the Boot Manager, which you usually can access by pressing F2 a few times during the boot process.  There, just select the virtual VMware Virtual SCSI disk and hit Enter.

Boot manager

 2. Password removal

Back here, I described the Windows 8 feature that allows users to log on to their systems with MS Account credentials.  This feature allows both local and online logon.  The required password strength makes a hash attack a little more difficult.  However, the most important thing to remember is that, to gain access to the system, a password is required.  You cannot “blank” the password using tools like the Linux-based boot CD or NTPwedit.  You must change the password.  Although some tools ostensibly allow you to change the password, I’ve found that they fail in that regard.  I still know of only one tool (commercial, but cheap) that works: Reset Windows Password (RWP), which is available at http://www.passcape.com/reset_windows_password and produced by Passcape Software.  I described its use and a UEFI workaround process here.

The workaround arose from the need to edit the password on a UEFI/GPT MS Account system with a tool on a bootable ISO/CD.  In hindsight, I should have suggested a quicker approach, which I will describe here.  As seen in one of the above screenshots, we edited our VMX file to enable the EFI firmware.  Passcape’s RWP is not yet available for use on a bootable UEFI, USB device.  So, if you use RWP or any tool on a bootable ISO, you need to re-edit your VMX as follows:

edit to bios

Once you re-edit the VMX file, you can boot to a non-EFI medium.  Just remember to change it back to EFI thereafter, or you system will not boot to Windows (“operating system not found” message).  I’ll add that RWP also allows you to invoke regedit and several other utilities directly from within the application.

3.  Shadow Volumes and Russian Dolls

This is another topic that folks bring up occasionally.  If we mount a shadow volume directly from an image or from an image that we boot in VMware, we’ll find that the shadow volume, itself, contains a System Volume Information (SVI) folder that contains shadow volumes.  Let’s say that we mount a shadow volume that was created on October 1, 2014, and was the earliest shadow volume in our target system.  When we look in the SVI folder of that mounted shadow volume, we may find a shadow volume that was created on September 1, 2014.  Now, it seems logical to assume that we can mount the latter shadow volume and go back in time even further, perhaps to the date when the system first was used.  We can’t.  I’ve tried a few approaches, including running vssadmin against the mapped shadow volume and attempting to boot the mapped shadow volume.  Neither method worked.  I wasn’t able to boot a shadow volume, even by reconstructing a physical disk with that volume.  I also ran this theory by one of the world’s leading Windows forensics experts, Troy Larson, who, not surprisingly, thought about this concept long before I did.  In short, Troy suspected that the shadow volume files and other data within a mounted shadow volume were incomplete and could not be reliably processed by the system.  Remember that shadow volumes really are “difference” files that depend on one another, and inconsistencies in any of them can affect their functionality.

NOTE: I’d like to direct readers to the comment posted by Joachim Metz.  He’s done a great job of documenting shadow volumes and provided a link to a paper that he published.  His comment and paper may provide  the precise answer.

For those who want to play around with UEFI, VMware has preview edition available that affords some undocumented (buggy) enhancements, so be careful if you give it a shot.  That’s all for now.

 

169 Hits
0 Comments

A Quicker Way to the Shadow Volumes and Dealing with Win 8 VHDXs

Arsenal Image Mounter (AIM) is a new image-mounting tool from Arsenal Recon.  Not only is it free, but the folks at Arsenal have been gracious in lending support.  AIM employs a special SCSI driver that lets us mount image files of various types so that Windows Disk Manager can see our mounted image (a pseudo disk, as I like to call it) as an actual disk. This innovation allows us to access shadow volumes in a completely new way and avoid converting images to, for example, VHD files.  AIM also can mount our image as write protected or as writable.  I won’t go into more depth on AIM’s features, as you can visit the web site to learn more and acquire a copy.

Heretofore, Windows would not enumerate shadow volumes on images mounted with the most popular tools, e.g., FTK Imager, Mount Image Pro, etc.  A notable exception is a Windows virtual disk file (VHD), which is not used to an appreciable extent, if at all, as the target of a disk image file in computer forensics.  I’ve explained before how to work with these virtual disks with respect to the Window 7 variety (VHD).  Windows 8 brings a new format, which is the VHDX file, which I’ll mention again later.  For now, suffice it to say that there no longer is a need to convert a dd image to a VHD if your goal is access shadow volumes on your host system.  As I’ve demonstrated in my VHD post, the conversion required the addition of data to the end of your dd image.  While that made an easily reversible change to an original image file, some folks were not comfortable doing so and chose to create a spare dd file.

Let’s take a closer look at AIM and how it can help us get to shadow volumes very handily.  I’m going to work with a dd image of a Windows 7 system, though there is no difference with an E01.  In the following screenshot, I’ve opened AIM and navigated to my image file (001).

AIM1

Next, we’ll see the window that AIM presents after I select the image.  I’m going to maintain the default options, which the screenshot depicts.  Typically, we don’t have to ask AIM to fake (cache) a disk signature, which AIM allows because Windows won’t mount a disk if it does not have a signature.  I’ve seen only one case in which a disk signature was absent, and it concerned a VHD file created by Windows 7’s system image feature.  Note than AIM handles 4KB (and other) sectors.

aim optionsAIM2a

After I click OK, AIM presents the mounted disk as Drive 10 in my system (above and in next screenshot), which we then can find in Explorer as well as in Disk Manager.  Note that Disk Manager reports the pseudo disk as it does every other disk, but indicates that it is read only.  In case you haven’t looked or noticed it before, mount an image with another tool and compare Disk Manager’s findings with an AIM-mounted image.

AIM3

Next, let’s access shadow volumes without using virtual machines or any other steps outside of our host system (mine is Windows 8).  As you’ve seen in one of the screenshots, our mounted image’s system volume was mapped to Drive M. The next demo is a video, which presents how we can enumerate the shadow volumes on Drive M.

 

Again, you can try that with another image mounter to see the distinction.  Now, we’ll map one of the shadow volumes with Dan Mares’s VSS, which is a tool that I’ve mentioned frequently in my blog. The basics of VSS can be found here, among other posts.  You can pick up VSS free at http://www.maresware.com/.  The next video demonstrates VSS.

▶

At this point, we can work with Drive P as we can with any logical volume.  We can open the volume in most forensics tools or image the logical volume if we wish.  Remember, too, that an alternative to mapping a shadow volume to a drive letter is to create a symbolic link to the volume.  The next screenshot shows how this is done.  We’ll create a link to Shadow Volume 13 in the aaa directory.  Remember to add the trailing backslash in the syntax, after the ShadowCopy number.

mklink

While I’m talking about Symlinks, it’s important to note that Windows uses them in various places on our systems.  For example, \Users\All Users is a SymLink to \Program Data on the active system partition.  If, for example, we open Users\All Users on our mapped shadow volume (P) and open Program Data on our host system, we can see that their contents are the same:

symlinks

This will happen whether you map the shadow volume to a drive letter or create a SymLink.  Needless to say, this can lead to some misinterpretations during an exam.  However, if you open the mapped shadow volume in a forensic tool, at least with X-Ways Forensics, the SymLink issue will be ignored.

Now, let’s return to VHDX files briefly.  At this time, a number of forensic tools can’t access that file format.  If you encounter one, it likely will be a system image backup on a Win 8 image.  To give most tools access to your VHDX file, mount the Win 8 image file in a Win 8 host with AIM.  The next video follows the process:

▶

Note that this works when you mount your VHDX-host image with AIM.  It likely will not work with other imagers that don’t allow Disk Manager to have access to the mounted image.  While you can copy the VHDX from your image to a Win 8 host, it’s unnecessary if you have AIM.  Another option is to create a VM from your Win 8 image, mount the VHDX therein, and access the mounted VHDX file with X-Ways Forensics from a thumb drive.  When you’re done, right-click the mounted VHDX in Disk Manager and opt to detach the disk.  Bear in mind that Win 7 will not mount a VHDX file.

  1. Dave Reid

    February 3, 2015 at 9:38 am

    Hi Jimmy,

    I have a multi-part E01 file and no matter what way i try to mount it with AIM, raw or multi-part raw, I get a virtual drive of 4GB in size. This coincidentally is the size of the E0 segments. The E0 files were created with compression and i wonder if this is the issue.

    dave

    Reply

    • jimmyweg

      February 3, 2015 at 9:48 am

      It’s not the compression. If you’re using AIM, can you not just get to the shadow volumes in your host system without a VM? Does the disk appear in Windows Disk Manager?

      Reply

      • Dave Reid

        February 3, 2015 at 10:19 am

        Jimmy,

        Think we are cross wires somewhere. I cannot get AIM to recognize any disk image with an E0 format. I have now tried several and the resultant disk offered as mounted is only the size of the first E0 file either 2GB or 4GB dependent on how the original image was taken. When I check the mounted drive in disk management the disk is unallocated and uninitialized and is specified at the same 2GB or 4GB size. I’m not sure i get your comment about VM’s as I am not running one. The article above seemed to be about accessing an image without any mention of VM’s.

        Sorry if I’m being a bit dense.

        Dave

        Reply

  2. Thierry_Fr

    July 7, 2014 at 1:09 pm

    Thanks Mr Weg for your very interesting posts and work.
    Thanks to you, I discover two great tools to work with VSS. Strangely, when I mounted the VSS with “vss.exe” it didn’t appear in explorer or X-ways like a new hard drive. I Tried with a volume image, i’ll try with a real disk image to see if that makes a difference.

    Reply

    • jimmyweg

      July 7, 2014 at 2:10 pm

      Thanks for writing. The mounted shadow volume will appear in Explorer and in X-Ways as a volume and not as a disk. You simply can add the mounted volume to XWF.

      Reply

      • Thierry_Fr

        July 8, 2014 at 11:54 am

        Thanks for your quick answer. In fact the VSS doesn’t appear at all. I will make a few more tests and make a return.

        Reply

        • jimmyweg

          July 8, 2014 at 2:27 pm

          If you’re running VSS correctly, it will identify the volume letter that it assigned to the SV. Hence, the SV will have mounted and be visible in Explorer/XWF. I’m guessing that you’re not actually mounting the SV.

          Reply

  3. MC

    June 25, 2014 at 10:01 am

    Thanks for the post Jimmy! I was looking forward to trying this out. However, I didn’t get very far…

    I am able to use AIM to mount my E01 image (although the volumes appear as “Removable Drives” for some reason). But, when I try to list the shadow copies with vss, I get a message stating “No items found that satisfy the query” and no shadow volumes are listed. I can see from the image file that the volume contains shadow copies. I’ve tried it with 3 different image files now, all with the same results.

    Does this have anything to do with a permissions issue in Windows 7?

    I’m sure that I’m doing something wrong, but I’m kind of stuck here…

    Thanks

    Reply

    • jimmyweg

      June 25, 2014 at 10:54 am

      Thanks for writing, Meghan. I think it’s a permissions issue. Are you running vssadmin as Admin? You should. I’m not sure what you mean by the mounted image appearing as a removable drive. It should show up in Disk Manager as a physical disk with volumes.

      Reply

      • MC

        June 25, 2014 at 11:33 am

        Jimmy,
        Thanks for the quick reply. I am running vssadmin as Administrator. The volumes are mapped in Disk Management. For what it’s worth, when I use the command to “List Volumes,” it only shows me my local volumes (not the newly mounted volumes). But, I can’t even list the shadow volumes for my local drives either.

        Thanks

        Reply

        • jimmyweg

          June 25, 2014 at 12:25 pm

          Just to be sure we’re on the same page, the syntax is “vssadmin list shadows \for=:” where “x” if the logical volume that contains the target SVs. Are you sure that the SVs on your target are existing files, and not previously existing files that your forensic tool reports (but Windows would not)?

          Reply

          • MC

            June 25, 2014 at 12:54 pm

            Using the syntax vssadmin list shadows /for=. The SVs on the target are existing files, although there are some previously existing files as well. I also ran my 3 images through IEF and it recovered data from the SVs.

          • jimmyweg

            June 25, 2014 at 2:53 pm

            Well, I’m not sure what’s up at this point. Can you enumerate SVs on your own system with vssadmin? If there are none (system protection off), turn on system protection, create one, and run a test. The “No items found that satisfy the query” usually means none exist or maybe no permission.

          • MC

            June 26, 2014 at 9:29 am

            Thanks Jimmy. Getting closer. I was able to create one on my system and subsequently see it using vssadmin. But for some reason, I can’t see any from my mounted images. I also don’t see any when I choose the option to ‘Restore previous versions’ from the right-click menu in Windows, even though I see there are shadow copies. Not sure what’s going on…

          • jimmyweg

            June 26, 2014 at 3:32 pm

            Are you logged on as Admin to your host machine? I know that you are running vssadmin as Admin. If you have a VM of a Win 7 system (SEAT), add the mounted disk to that VM as a physical disk (there’s instructions on the blog). Then run vssadmin in the VM, targeting the added disk’s volume. It’s also possible that your SV structure is corrupt. Have you tried other mounted image files? If the issue arises in more than the one image, I think that the issue has to be with your system.

  4. Preston Farley

    June 8, 2014 at 8:19 pm

    Jimmy,

    Thanks for the great post and for all you’ve given to the community over the years. I’ve been lurking your posts and attempting to learn from them for a long time now. BTW, the hyperlink for AIM is printed properly in your article, but it is missing a colon when you click on it, in case that was not intentional.

    Thanks again for all that you do.
    ~bina computationem pro justitia

    Reply

    • jimmyweg

      June 10, 2014 at 1:32 pm

      Thanks for your kind words, Preston. The link should have worked as it was, but I fixed it now with a TinyUrl.

      Reply

  5. Luigi Ranzato

    June 4, 2014 at 5:37 am

    Hi Jimmy,
    thanks for the post, very usefull for me;
    Yesterday I tried the extraction operations, but not all goes right.

    In particular:
    1) Mounting with arsenal imager was OK;
    2) Automounting with vss.exe was OK;
    3) but, when I used FTK imager for ramdisk extraction, it has been stopped by “windows defender” while trying extraction a probable malware.

    So, FTK imager has been stopped by “windows defender” and I assume that for a total extraction, I nedd to use a VM without any protections

    Reply

    • jimmyweg

      June 4, 2014 at 8:35 am

      Thanks for writing, Luigi. I’ve disabled Windows Defender, and I think that you should do so. I don’t think it’s necessary for what you’re doing. Maybe you can write an exception for FTKI in Defender. I know that my antivirus doesn’t affect this operation.

      Reply

175 Hits
0 Comments

RAIDs & Virtual Machines

After a colleague posed a question about building VMs from RAIDs, I thought it might be a good topic for a post.  I won’t go into RAID basics, as you probably have a good grasp of that topic already if you’re visiting my site.  The RAID systems that I see most often are RAID 0s, insofar as the system disk is concerned.  We’re not concerned about a box that contains a system disk plus any variety of RAID.

In addition to being RAID 0s, the systems that are most common in my shop contain two disks.  Frankly, I’d be a little hesitant about building a system on a RAID 0 with more disks because of the lack of fault tolerance.  For our purpose, it really doesn’t matter.  In fact, we can build our VM from a RAID 5 or even some versions of RAID 6, if we use the world’s leading forensics tool, X-Ways Forensics (XWF).  For this demo, I’m going to use a two-disk RAID 0.  The first step is to create an image of each disk.  For the original images, the format is irrelevant.  I say “original” because we’re going to create another image later.

As in most cases with XWF, there are a few (X) ways to approach a task.  Let’s say that you don’t know whether you have a RAID, so you simply add your images to your case, as in the following video.

▶

We now have two raw disks in our case.  XWF also advised us that disk structure implies that a RAID may be present (the MFT message indicates the possibility of an implausible file record and likely is of no consequence).  A little exploration will confirm that a RAID is present, so we can proceed to reconstruct the RAID.

▶

When we add disk images to our case, XWF intuitively offers them as physical and/or logical disks in further tasks, as in the Select Disk box that we saw in the video.  We see that our original disk images remain in our case, but it’s really not necessary to keep them.  In fact, we didn’t have to add them when we created our case.  For example, during the original imaging process, we could take a look at the original disks through our write blocker and determine that we have a RAID 0.  After imaging, we can mount each image as a physical disk with FTK Imager or the tool of our choice.

Note that our image files are mounted as PhysicalDrive9 and PhysicalDrive10.  We can now create a case in XWF and reconstruct a RAID right from the start, without adding images or media.

We begin by reconstructing a RAID, just as we did before.  We’ll see that Disks 9 and 10 are offered as candidates for RAID reconstruction.  After reconstructing the RAID, we’ll add it to our case through the context menu, as before.  Note, however, that we must have our images mounted as disks to access our XWF case in the future.  In the previous method, our image files usually are always in place.

You may recall that I mentioned stripe size in terms of sectors.  Many of us are accustomed to referring to stripe sizes in terms of kilobytes, e.g., 128KB, which is a common stripe size for RAID 0s. XWF requires stripe size to be expressed as a number of sectors.  It’s easy math to determine sectors by dividing the number of bytes by sector size, which usually is 512 bytes (but could be 4,096 bytes these days).  Also, “bytes” mean the exact number: 128KB=131,072 bytes, so 131,072/512=256 sectors.  Determining the correct stripe size may take a little research or trial and error.

We now can work our case in XWF as we would with a typical single-disk case.  If we want to build a VM from our image files, we should create a new image from the physical, reconstructed RAID.  From the XWF File menu, we select Create Disk Image, and XWF will present the following option box:

In the case tree, our RAID 0 is highlighted, and the viewer window is in Disk mode.  My Create Disk Image options box is set to create a Raw (DD) image of the physical disk, which is our RAID 0.  Once the image is created, we can create a VM from the image as we would with any image of a single disk system.  Is that’s easy!

Tags:
109 Hits
0 Comments

Getting a Quick Look at Shadow Volumes

We’ve come to the point where we can conduct a rather complete exam of shadow volumes using dd and E01 image files.  Let’s say that we don’t need to do such a complete exam.  For example, we’re confident that one, particular folder may contain previous, unrecovered copies of a small number relevant files.  Maybe we’re looking for one file in particular.  In those instances, we may not need to mount the shadow volumes.

We can accomplish this task in either our SEAT workstation, in which we added a virtual disk of the target system, or in a running VM of the target.  The latter approach is required for E01 images and optional for dd image files.  You also can accomplish this with the VHD method that I presented earlier.  The approach is the same regardless of which method you choose.  Remember, however, that using a “live” VM of a system runs the risk that the system will delete old shadow volumes.  The risk can be overcome, but keep it in mind.

To demonstrate the procedure, I’m going to use my SEAT workstation, in which I added a virtual disk.

▶

It’s that easy!  Note, too, that you can invoke Windows Previous Versions on almost any file or folder.

In my example, no previous versions existed.  If they had, we would have seen a list of earlier versions by date.  We then could open and examine any available version of the file.  Should you find files of value in the approach that I presented, you can copy the files from the VM to your host system.  Copying is seamless if you install VMware Tools in your VM.  Otherwise, you can enable a shared folder with your host.  Any such copy operation, however, is not a forensic recovery, so consider whether it suits your needs.

Now that we have a quick and easy approach to a limited review of shadow volumes, don’t become too accustomed to using it into the future.  Windows 8 seems to have done away with the Previous Versions aspect of the Volume Shadow Service.  In my tests of the latest Windows 8 Enterprise edition, it’s gone, and I believe that this has been confirmed on MSDN or similar forums.  We can take heart, however, in the fact that shadow volumes remain; at least for the time being.

Tags:
99 Hits
0 Comments

Mounting Shadow Volumes

We’ve built our SEAT VM and added our target image to it as a virtual disk.  The first thing that I do is verify that all of the shadow volumes are present.  My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes.  We can compare the shadow volumes from the image file with those in our VM.  The following video presents the steps we use to enumerate the shadow volumes with the native vssadmin command run from our administrative command prompt.

▶

The screen populates quite quickly, but the point is that we can identify the number of shadow volumes and their respective creation dates.  To make it easy to copy, here’s the syntax: vssadmin list shadows /for=[your target volume letter followed by a colon].  Note, too, that your beginning shadow volume number will be different from mine and does not necessarily start with the number one.  Another trick is to re-run the command and export the output to a text file, by adding a space at the end followed by >[path to your text file] [name of text file]. Creating a text file is handy for documenting your findings and for copying the shadow volume names, which we’ll do later.

Now we can mount any or all of our shadow volumes for examination.  We’re going to use VSS, which is a free, command line tool written by Dan Mares, who is a creative, long-time forensic software developer and examiner.  Dan also has developed free tools that are adjuncts to X-Ways Forensics and which help users customize certain reports.  You can pick up a copy of VSS at http://www.dmares.com/pub/nt_32/vss.exe.  Be sure to check for updates, as Dan is great about implementing suggestions.  You’ll also want to check out his other tools.  http://www.maresware.com/.  Thanks, Dan!

There are a few of ways in which we can use VSS.  We can mount one shadow volume; multiple shadow volumes that are numbered consecutively; or multiple, non-consecutive shadow volumes.  The following screenshot displays the syntax.

We already have a list of shadow volumes produced by vssadmin.  It’s now a matter of selecting the correct volume to provide to VSS.  Let’s go back to an abbreviated view of vssadmin’s output.  

The screenshot identifies one shadow volume.  It may not be terribly clear, but the shadow volume path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5. We’ll feed that path to VSS and mount the shadow volume.  We need only choose an unused volume letter, and we’ll pick H:

After executing the command, VSS will prompt us to hit <Return> one more time and then present what the screenshot depicts.  It includes the root directory listing.  Our shadow volume (#5) now is mounted as Volume H:  You can repeat that process and mount any, or as many, shadow volumes as remaining drive letters permit.

Hint: to repeat the process, use your up-arrow and simply replace the volume letter and shadow volume number (#), i.e., ShadowCopy[#].  There is no need to copy/paste the entire path repeatedly.

Next, we’ll mount a range of shadow volumes.  First, let’s look at the syntax, which is provided in VSS’ on-screen help.

We can start with a given shadow volume and mount every shadow volume that follows, up to our choice of the last shadow volume number.  In our case, there are 19 shadow volumes and the first is #5.  (I haven’t researched the question of why shadow volume numbers often start at a number greater than #1, but it doesn’t appear that it’s because there were X previous ones.  Windows authority Troy Larson probably knows!)  Before we go forth, I want to point out that you should study the dates of the shadow volumes in relation to your case.  Several restore points can be created on the same day, perhaps within hours of one another.  You’ll cut your exam and VM overhead if you exercise some judgment in picking the shadow volumes to mount and examine.

For demonstration purposes, let’s mount them all. I’ll start with no shadow volumes mounted and enter, vss h: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 23 AUTO.  Note that AUTO is upper case.  The first shadow volume is #5, and the last is #23.  Watch:

▶

Actually, it was coincidental that I happened to have 19 shadow volumes and 19 open, consecutive drive letters 🙂  To unmap any or all of our shadow volumes, we proceed as in the following screenshot.  I’ll unmap them all.

Following the VSS command, you enter every volume letter, followed by a colon, which you want to unmap.  If unmapping seems to hang, just refresh your screen in Explorer with F5.

That’s it for this post.  Next time, I’ll demonstrate one or two exam approaches with X-Ways Forensics. In the meantime, if you get bored, you’re all set to examine your shadow volumes with any tools that you wish to install in your SEAT workstation.

12 comments

  1. Working with Shadow Volumes

    January 21, 2016 at 1:26 am

    […] shared it.  In fact, I initially used information from his 13 Jul 2012 blog post entitled Mounting Shadow Volumes to mount the VSC of interest as a RAM disk on my analysis system.  At the time that I did […]

    Reply

  2. Doing Analysis

    January 21, 2016 at 1:16 am

    […] where Jimmy’s blog post on mounting shadow volumes can into play.  Using vss.exe, I added the VSC in question to my analysis system as X:, which […]

    Reply

  3. Windows forensics (A.Carvey) | Jacques DALBERA's IT world

    December 3, 2015 at 1:48 pm

    […] where Jimmy’s blog post on mounting shadow volumes can into play.  Using vss.exe, I added the VSC in question to my analysis system as X:, which […]

    Reply

  4. Raffael

    August 23, 2012 at 4:17 am

    Jimmy,
    How do you examine VSS on deleted/recovered partitions?

    Reply

    • jimmyweg

      August 23, 2012 at 8:34 am

      I’ll have to guess, as I haven’t done that. First, I’ll say that you can’t examine deleted shadow volumes, AFAIK, and I tried. For example, you can recover a deleted SV and copy it into the Sys Vol Info directory. That doesn’t work, and may screw up the shadow volume service. Remember that the SVs are difference files, and the “index” has to track the SVs as a whole to rebuild things. Throwing in a “foreign” SV seems to mess up the system.

      If you can recover a deleted, intact partition, I suspect that you can image it and create a VM or VMware virtual disk from the image. If you can do that, you can probaly add it to your SEAT workstation and see whether the VSS can rebuild the SVs. You also may be able to rebuild the entire physical disk (image) and boot the previously deleted partition.

      Reply

      • Cal

        May 8, 2016 at 2:53 pm

        Hi, nice blog!
        What about an old snapshot of the same, working partition? I mean, every once an older shadow copy is deleted to create a newer one, due to space constraints to the VS service; however, sometimes a deleted snapshot can be recovered with a raw access to the disc, and .LOG# files in Sys Vol Info dir should hold some infos on syscache.hve changes.

        I wonder if there is a mean to verify integrity of such a recovered shadow and to access it.

        Reply

        • jimmyweg

          May 9, 2016 at 8:43 pm

          The snapshots depend on linking. After deleting snapshots within a VM, VMware typically has no problem with running the VM from any given snapshots. Forensic tools, however, may be unable to mount the successive snapshots because of linking issues, I suspect. I’ve found it rather difficult to gather much any data from deleted (recovered) VSC, because the dependencies are lost.

          Reply

  5. Ken Pryor

    July 15, 2012 at 6:10 pm

    I’m really enjoying and learning a lot these tutorials, Jimmy. Thanks for sharing!
    KP

    Reply

  6. Raffael

    July 15, 2012 at 12:28 am

    Hi Jimmy
    Thanks for your work!
    I usually mount disks with Encase PE. This allows to access VSC directly in my workstation (no vm). This approach does not work if you use Ftk Imager or Mount Image Pro .

    Looking forward to reading more of your posts!
    Raffael

    Reply

    • jimmyweg

      July 15, 2012 at 4:37 pm

      Thanks very much, Raffael. Correct, mounting with FTKI or MIP will not provide access to the SVs. I don’t use EnCase, so I can’t speak to this feature, but it does seem handy. Another approach, which I’ll describe in a leter post, is mounting a VHD image. The drawback is that you have to create a VHD. If you do, however, you can access the SVs right from your host system.

      Reply

      • Harlan Carvey

        July 16, 2012 at 4:20 am

        Jimmy,

        I’m not sure how I follow that creating a VHD is a “drawback”, per se. Analysts work on a copy of the acquired image, and not the original “evidence”, and the free tool available from MS simply appends a footer (less than 1K) to the image in order to turn it into a VHD. Once you’ve done that, you can still access the acquired image via FTK Imager, etc.

        Thanks for posting this information…it’s great to see more of this sort of thing making it into the public view. Keep it up…

        Reply

        • jimmyweg

          July 16, 2012 at 10:19 am

          Thanks, Harlan. Yes, converting the dd to VHD actually is quite simple with VhdTool. In my approach, I use the original image, which is not altered. If I want to convert the image to VHD, I guess that I would make a copy for that purpose, unless you can convert the VHD back to dd, but then you’d want to hash the original again. So, although I do have one or two backups of every dd (as E01) image, having to make another to convert to VHD is something I’d rather avoid. You can build your VMware device in less than one minute. Perhaps someone may develop a tool to image a medium directly to VHD with the approriate verification, something like E01. AFAIK, that’s not do-able at the moment.

          Reply

Tags:
233 Hits
0 Comments

Adding Our Target System to Our SEAT Workstation

In this step we’ll add our target system virtual disk to our SEAT VM.  We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.

Add Virtual Disk

Add Virtual Disk▶

As you saw, we chose to add the disk as an independent disk in non-persistent mode.  Any changes to the disk are discarded when we power off our SEAT VM.  Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM.  Nothing within the shadow volumes will be changed.  Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.

When you add the disk, VMware may present a box that warns of a hardware compatibility issue.  If my SEAT VM was created in an earlier version, I’ll get the following warning.

If you encounter this, change your SEAT hardware compatibility as in the video.  Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8).  Choose Alter this virtual machine as your last step.

▶

We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam.  In Windows, we can see our target system as Volumes E:, F:, and G:  Your volume letters may differ as may the number of partitions on your target.

A little exploring reveals that our target’s system partition is Volume F:  While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item.  Pausing the VM freezes the action.  So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work.  Remember, too, that the VMware Snapshot feature is your friend.

The first thing that I do is write protect the target system disk.  Even though the disk is non-persistent, it can be written to during our session.  It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes.  To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7.  In the next video, I’ll step through the process.  We’ll begin at the point where I entered the Diskpart shell.

Diskpart

Diskpart▶

To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot.  Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware.  Otherwise, you simply can use the Pause feature.  Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.

That’s it for now.  In the next post, I’ll get down to mounting and accessing the shadow volumes.  Thanks for visiting!

3 comments

  1. Gerald

    July 10, 2012 at 7:31 am

    Jimmy,

    Hello, great series and info. Have you experimented with using the SIFT to make all .E01, .AFF or .RAW images available to the Windows Forensic box for Volume Shadow analysis? I have found it to be extremely quick to set up and reliable (takes about two minutes). Successive exams are faster to setup. Corey Harrell did a posting on how to do that here: http://journeyintoir.blogspot.com/2012/05/more-about-volume-shadow-copies.html

    Reply

    • jimmyweg

      July 10, 2012 at 9:08 am

      >Have you experimented with using the SIFT
      I haven’t. I do have SIFT, but I’m kind of linux-averse. It’s great stuff, but I like my GUI. I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment. As I mentioned, I can make this work with E01s, but it’s a little more work. I started down this road because I received quite a few remarks about problems with EnCase PDE and LiveView. I don’t use EnCase, so I can’t attest to any issues, but I did play with LiveView and prefer my “hand-built” approach. My aim, which will become a little clearer as I progress, is to do a SV exam with X-Ways Forensics. You can use any tool as long as it will run in a VM. For that matter, you can do the same thing directly in the running VM of the target that we bulit in my first post. XWF can be run from a thumb! You also can add the target virtual disk directly to SIFT through VMware. You’ll have to let me know what you think as I proceed. Thanks.

      Reply

      • Gerald

        July 10, 2012 at 9:45 am

        >I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment.

        Absolutely it will work to access VSCs. Just make sure your Win forensic box is on the same subnet as the SIFT workstation. Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I will send you back a short PPT on the method. Should save you a bit of experimenting time.

        Reply

Tags:
100 Hits
0 Comments

Getting Ready for a Shadow Volume Exam

We now have built a virtual machine from an image of the target system.  Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation.  Building the VM basically is the same as installing a operating system from scratch, and I’ll  go over the basic steps in the following video.

Build Base VM

Build Base VM▶

I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc.  I have a library of operating systems on ISOs, as they come in handy.  Please be mindful of licensing requirements.  I didn’t install a network adapter, but will do so later.  I use as much RAM as I can afford, and you can experiment.  RAM can be adjusted from a powered off state.  I like using a single, growable disk for my VM.  For the most part, I set up the system as I like.  I turn off User Account Control, but we must leave System Protection enabled.  I also set my folder view options to allow access to hidden and system files.  Remember that you can use snapshots to protect the state of your VM.  Below is a screenshot of my VM.  I keep my frequently used tools on the desktop.  Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.

For you X-Ways users, you can configure your options as you do normally.  Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested.  Remember that XWF, as most forensic suites, is USB dongle based.  When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.

 If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle.  Then, connect it to the VM (Disconnect from host).  Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice.  The easiest thing to do is close the host instances of XWF before you work in the SEAT application.  Of course, if you have more than one dongle, you can work simultaneously in both environments.  Note that you can install any USB devices that you wish by using the same procedure.

Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive.  In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.

4 comments

  1. Derek Frawley

    August 3, 2012 at 11:05 am

    Thanks for the vm creation tutorial.
    Do you have anything that will show how to do with E01 file(s) or multiple raw files.( as mentioned in the tutorial) Most of the images i have are E01 and takes too long to re-image.

    Reply

  2. Scott Koehle

    July 9, 2012 at 7:03 pm

    Great Stuff, Jimmy. Thanks for taking the time to put this website together. Very Helpful.

    Scott Koehle, CFCE
    Altoona Police Department
    1106 16th St
    Altoona, PA 16601
    814-932-2588

    Reply

Tags:
90 Hits
0 Comments

Creating a VMware Virtual Machine from a Raw Image File

Welcome to my blog and first post!  My aim is to provide tutorials that describe some of the things about which my colleagues have questions.  I’m neither a seasoned blogger nor videographer, so please bear with me as I progress.  I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish.  Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly.  As you’ll see, I have a plan for a few topics and will consider suggestions thereafter.  I do, however, have a full time job that already extends beyond a  “reasonable” workday, so pardon my delays in posting.  The videos herein should be viewed in high-def, and you’re welcome to download them.

This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes.  First, we’ll create a virtual machine from a single dd image file.  In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html.  We can create a target-system VM from a segmented image, but it takes more work to create our configuration file.  We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk.  First, I always take care to see that my image file is read only.  Our image file is MyImage.001.  There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment.  I’m using VMware 8.x, but the steps are the same in 7.x.

I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes.  The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.

Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name.  Below is a screen shot of the contents of a Vista/Win7 vmdk file.  The yellow-highlighted fields are the ones that you will edit.  The first is the number of sectors on the physical disk.  Next is the name of your image file.  Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63.  Then enter the number of cylinders by calculating /255/63.  It’s 19458 in our example, and always round up to the next whole number and do not use commas.  I usually place this file in the same folder as my image, where we’ll name this file MyImage.vmdk.

Here’s an editable copy of our vmdk file: MyImage.txt.  Save the file as a text file and then change the extension to vmdk for actual use.  It’s configured for VMware 8.x.  If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:

 

Next, we’ll create a VM, so open VMware and elect to create a new virtual machine.  At this point, the following video will save some explaining:

Create VM

Create VM

This is what we do: Run VMware and create a new VM.  Select the Custom option in the first window.  Choose to install the OS later.  Next, choose the OS (32 vs. 64 is not critical).  Then, pick a name for the VM and a path for the VM files.  It’s best to place them in their own folder.  In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default.  In the network box, select “do not use…”  You can add a network adapter later.  For the I/O adapters box, select LSI Logic (SCSI).  In the Select a Disk box, choose “Use an existing virtual disk.”  Next, navigate to your vmdk file (MyImage.vmdk).  Then click Finish, and you will have built a basic VM.   Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.

In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind).  We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO).  So, mount the system partition in VMware as writable.  Watch the video: 

Prep for boot

Prep for boot▶

As you saw, I loaded the VM’s System hive in my host’s registry.  I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI.  I edited the Start value (DWORD) so that it’s 0x00.  The 0 has the effect of starting the service at “boot” automatically by the system loader.  You can edit the other Control Sets, but it’s unnecessary.  Then I unload the System hive and shut down Regedit.

Next, we’ll deal with the user’s password.  I use a free tool named ntpwedit.exe, http://cdslow.webhost.ru/ntpwedit/.  (It’s in Russian, but you’ll figure it out.)  We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish.  Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work.  Watch:

Remove Password

Remove Password▶

Now, the VM is ready to boot.  You may wish to fire it up to be sure that it runs, but create another snapshot first.  We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points.  For example, installing VMware Tools will create a restore point.  Snapshots allow us to go back and recover a pristine system.  It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them.  In our example, there are 19:

 

 

70 comments

  1. Red Forman

    September 4, 2016 at 7:20 am

    Hey Jimmy,
    Just tried this with a Windows 10 x64 image and turns out there is no registry entry for LSI_SCSI. I managed to get the VM created successfully starting with the VMDK modified to my VMWare version (12), and the following steps:

    New VM
    Custom
    Hardware Version VMWare 12 (my version)
    Install OS Later
    Choose OS (Win 10×64)
    Name and location
    Firmware type EFI
    1 Processor 1 Core
    4GB RAM
    No Network Connection
    I/O Controller Types – LSI Logic SAS
    Virtual Disk Type – SCSI

    The rest was the same, except I didn’t need to mount or map the VM HD to change the registry, because Windows 10 has all of the LSI configured as Start=0 by default.

    I did have an issue when I started to try your original method though with permissions on the ‘config’ folder, and I wasn’t able to gain access to it using the ‘Map’ method. So I used FTK Imager and mounted the image Writable – Logical and went from there.

    Hope this helps out some of the others having issues with Windows 10.

    Reply

    • jimmyweg

      September 4, 2016 at 11:57 am

      Thanks, Red. Yes, the SAS controller is an alternative. Usually, there are two SAS controllers, and picking either should work. I’m not sure why you couldn’t access System32\Config, but perhaps Win 10 tightened up access somewhat. Yet, I can access the folder directly on my native system.

      Reply

  2. Richard

    August 10, 2016 at 10:52 am

    Anyone willing to share their copy of ntpwedit? The site to download it from is down. I’ve gotten to the point of booting and a login, don’t want to take the time to crack the SAM if I don’t have to. Thanks!

    Reply

    • jimmyweg

      August 15, 2016 at 8:09 pm

      Solved.

      Reply

  3. Jason

    July 25, 2016 at 10:19 am

    Using Workstation 11 on Windows 10, i can map the VM drive, however the drive is not displayed in RegEdit and Explorer gives me the error “not accessible. Incorrect function.” when i try to view the contents of the drive. Is this a limitation of Windows 10/Workstation 11? Any workarounds?

    Thank you.

    Reply

    • jimmyweg

      July 26, 2016 at 12:19 pm

      Hi, Jason. I can tell you that my VMware 12 works fine on/with Win 10. I don’t think you’ve encountered a limitation.You didn’t give me much info. Are you working with an image? What type? What is the guest’s OS? Have you tried the approach using Arsenal image Mounter?

      Reply

    • EC

      September 12, 2016 at 11:04 am

      Make sure you take a snapshot before trying to mount it as read/write.
      I had the same issue, I kept getting “Not accessible. Incorrect function.” after attempting to mount the drive as read/write in VMWare and browse in explorer. It would mount fine as read only, no errors browsing. Once I did a snapshot it worked fine.

      Reply

  4. Greg

    May 31, 2016 at 12:48 pm

    Good article, however I’m having trouble with the regedit. I can do the load hive, but the mapped drive doesn’t show up, the hard drive, a recovery partition, and my local drives do, just not the drive I mapped in VMware… I can’t boot that system as I believe it needs the SCSI to start up when the system boots.

    I’ve tried this numerous times, and still a no-go.

    Thoughts?

    Reply

    • jimmyweg

      May 31, 2016 at 4:47 pm

      Thanks for writing, Greg. What is the guest OS? Is it GPT (I think it is)? How are you loading and editing the System/SAM hives if you can’t map the system partition? Try mapping the partition before and after the desired system partition. WMware seems to have an issue with mapping the selected partition on GPT.

      Reply

      • Greg

        June 1, 2016 at 9:36 am

        Imaging it’s GPT (windows 7 box I’m fairly sure), my host is windows 7. I can see the drive mapped to windows (a 455GB drive using about 120GB). Under advanced shows scsi.

        Now on my host I try regedit, file local hive( as in video). On left hand side, I still see my C drive, my USB drive, and now instead of Q (which is the image file that I wish to use), I see an 11GB recovery drive (different letter).

        Thanks

        Reply

        • jimmyweg

          June 1, 2016 at 11:58 am

          In VMware, how many partitions does it show when you go to map a volume? Post back a list with size and type.

          Reply

  5. MacLuser

    May 3, 2016 at 4:27 pm

    Will this work for creating a VM of a MAC OSX .00001 image? If not, any suggestions?

    Reply

    • jimmyweg

      May 4, 2016 at 11:28 am

      OSX is an entirely new ballgame. I will tell you that I can create a VMware VM in Windows from an OSX dd image. However, there is at least a debate over whether doing so conforms with Apple’s licensing conditions. So, I haven’t posted instructions because I don’t want to take a chance on violating the license. I will say that it also requires a tweak to certain VMware system files, and I don’t know whether those edits will work in all versions. You can, however, build a VM in Fusion on a Mac.

      Reply

  6. Steve Linn

    April 28, 2016 at 9:07 am

    Jimmmy,

    I have a 001 image that I am setting up

    In VMWare when selecting the MyImage.VMDK file I get the following error
    “the file specified is not a virtual disk”

    Here is my code for my VMDK

    # Disk DescriptorFile
    version=1
    encoding=”windows-1252″
    CID=fffffffe
    parentCID=ffffffff
    isNativeSnapshot=”no”
    createType=”monolithicFlat”

    # Extent description
    RW 1953525168 FLAT “MyImage.001” 0

    # The Disk Data Base
    #DDB

    ddb.virtualHWVersion = “8”
    ddb.longContentID = “3dbffea22e044ddc2bb9220dfffffffe”
    ddb.uuid = “60 00 C2 99 79 81 fe 89-c6 64 c8 c2 19 93 b1 ea”
    ddb.geometry.cylinders = “121602”
    ddb.geometry.heads = “255”
    ddb.geometry.sectors = “63”
    ddb.adapterType = “lsilogic”

    Reply

    • jimmyweg

      April 28, 2016 at 11:08 am

      Let’s check the easies thing first: make sure that your image name in the vmdk is precise. Nxet, double check the geometry, e.g., number of sectors. I take it that your target is a single image file and not a mounted image. Let me know what you find.

      Reply

      • Steve Linn

        April 28, 2016 at 3:03 pm

        I got a little farther along

        I changed text editor to Notepad++

        got my sector count from FTK Imager

        I was able to go through the entire process – mounting it to the Z: drive and editing the registry hive.

        I did not change the password because I did not need to — I know the password

        When I go to power on the machine I get the error “failed to lock the file…cannot open the disk E:\MyImage.vmdk or one of the snapshots it depends on.

        Module ‘Disk’ power on failed.

        Reply

        • jimmyweg

          April 28, 2016 at 3:32 pm

          This error usually resolves with a host system reboot.

          Reply

          • Steve Linn

            April 29, 2016 at 11:03 am

            Little further along….
            Able to install the VM and open it in VMWare – however it says it cannot start normally. I tried to stop the VM and restart it – same issue — should I attempt to repair it?

          • jimmyweg

            April 29, 2016 at 12:02 pm

            You shouldn’t need to do a repair if the original system was working okay. First, choose “no” and see what happens. What OS is the guest?

          • Steve Linn

            April 29, 2016 at 12:26 pm

            The computer worked fine, it was a Win 7 x64

          • jimmyweg

            April 29, 2016 at 12:56 pm

            Then it has to boot in VMware if you correctly created the vmdk, edited the registry, and took a snapshot. Try to back to the first snapshot and boot. Don’t do a repair at that point.

  7. Kevin Chaney

    July 10, 2015 at 11:00 am

    I keep getting this BSOD on every machine I try:

    Stop 0x0000007B

    Any ideas?
    Thanks

    Reply

    • jimmyweg

      July 10, 2015 at 12:09 pm

      What OS is your VM?

      Reply

      • Shelby Mertins

        September 21, 2015 at 1:59 pm

        I’m having this problem trying to boot to Windows 7.

        Reply

        • jimmyweg

          September 21, 2015 at 2:06 pm

          If it’s the same issue that Patrick last reported, it seems to be a Windows issue. Try the repair. Does it boot to safe mode? I get that screen all the time and simply elect to start Windows normally. Go back to square one and make sure that you get the registry edited before your first attempt, in case something was corrupted when you first built the VM.

          Reply

      • Matthew

        February 10, 2016 at 1:06 pm

        Hi Jimmy
        I keep getting Stop code 0x0000007B on boot
        My OS is Win XP.
        I suspect it cannot boot because I have not changed the appropriate setting in the registry. I looked and cannot find the LSI_SCSI key (probably becuase this is XP).
        Is there an XP version of this key I can change?

        Thanks in advance!

        Reply

  8. Hannah

    March 12, 2015 at 7:50 am

    Great article but I am having problems mapping the drive. I am using Workstation 10. It seems to map the drive but when I click on it, it says to format the drive. When I try to start the VM, I get a disk error. I can mount the dd and browse the folders using FTK Imager. Any ideas? Thx!

    Reply

    • jimmyweg

      March 12, 2015 at 8:29 am

      Perhaps your geometry is wrong. Check your vmdk file and be sure that the C-H-S settings are correct. H=255, S=63, C=Total Sectors/255/63. Your total (physical) sectors should be included in the file, too, of course.

      Reply

      • Hannah

        March 12, 2015 at 2:52 pm

        [Drive Geometry]
        Cylinders: 60,801
        Tracks per Cylinder: 255
        Sectors per Track: 63
        Bytes per Sector: 512
        Sector Count: 976,773,168

        VMDK File
        # Disk DescriptorFile
        version=1
        CID=fffffffe
        parentCID=ffffffff
        isNativeSnapshot=”no”
        createType=”monolithicFlat”

        # Extent description
        RW 60802 FLAT “nt2935.001” 0

        # The Disk Data Base
        #DDB

        ddb.adapterType = “lsilogic”
        ddb.encoding = “windows-1252”
        ddb.geometry.cylinders = “1”
        ddb.geometry.heads = “255”
        ddb.geometry.sectors = “63”
        ddb.virtualHWVersion = “4”

        Reply

        • jimmyweg

          March 12, 2015 at 4:12 pm

          First, remove the commas in your sector count number, and RW should be 976773168. The ddb.geometry.cylinders should 60801. Create a vmdk file that contains the following:

          # Disk DescriptorFile
          version=1
          encoding=”windows-1252″
          CID=fffffffe
          parentCID=ffffffff
          isNativeSnapshot=”no”
          createType=”monolithicFlat”

          # Extent description
          RW 976773168 FLAT “nt2935.001” 0

          # The Disk Data Base
          #DDB

          ddb.adapterType = “lsilogic”
          ddb.geometry.cylinders = “608001”
          ddb.geometry.heads = “255”
          ddb.geometry.sectors = “63”
          ddb.longContentID = “4840d9972d5edd9f0f8a2f4afffffffe”
          ddb.uuid = “60 00 C2 9e 44 a1 15 1d-5d 9b 29 09 73 ce 10 47”
          ddb.virtualHWVersion = “10”

          Reply

  9. David Marques

    April 3, 2014 at 5:56 am

    Hi,

    Thanks for your excellent work and for sharing it!
    Just a quick question as you might have come across.
    I’m trying to write the System registry key as you said so, but on VMWare Workstation 8, when I try to map the partition as writable, got a Windows message saying it can’t open that drive letter.
    I’ve tried in VMWare Workstation 10, and I can map to a drive letter, but then I can’t open folder Config under Windows\System32, as says that I don’t have permissions. I tried of course to edit the permissions, but always get an error that can’t write.

    Have you ever came across something like it?

    Thanks

    Reply

    • jimmyweg

      April 3, 2014 at 8:44 am

      If you can map the volume as writable with VMware, it seems to be a permissions issue, as you noted. Win 8 can be a little fussier than 7. Have you disabled UAC? First try the normal way through Control Panel. If that doesn’t work, try HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set EnableLUA to 0x00. Note that you will be unable to use Metro Apps (so what).

      Reply

  10. saintbin

    September 21, 2013 at 2:45 am

    Hi Jimmy, may i got your need to boot from single dd image?
    1. i create a dd image from a system drive(logical drive) using ftk imager
    2. i create vmdk and VM according your posts step
    3. i load the VM system hive in my host’s registry and operated with your given method and removed the password use ntpwedit
    4. then i power on the VM, but the VM suspended on a starting but black screen. what’s the problem?

    can you help me ?

    Reply

    • jimmyweg

      September 21, 2013 at 11:11 am

      I don’t know about a black screen, and what do you mean by “VM suspended”? If you’re not even getting to Windows, there may be a problem with your target’s boot loader. Make sure you give it enough time, as it can be slow sometimes. What is the OS?

      Reply

  11. saintbin

    September 21, 2013 at 1:34 am

    Hi jimmmy, thanks to you that post a great blog.

    but ia have a question, can you tell me, how to loaded the VM’s System hive in my host’s registry and then how to navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI?

    waiting you reply!

    Reply

    • jimmyweg

      September 21, 2013 at 11:09 am

      It’s in my posts, but mount your virtual disk after taking a snapshot. Mount it as writable. Then open regedit, and select load hive from the File menu, when your focus is on HKLM on your own registry. Navigate to the mounted virtual disk’s SYSTEM hive, select it, and give it a name. You should find the LSI_SCSI key in your mounted hive.

      Reply

  12. Randy

    August 9, 2013 at 10:39 am

    Thank you for taking the time to put together such helpful information! I am using VMWare Workstation 8 on a Windows 7 x64 host, and I created a VM from an E01 image of a Windows 7 machine.

    I was unable to map the virtual drive, and the vmware.log exposed the problem: “failed to open \\.\PhysicalDrive11 the physical disk is already in use”

    To solve this problem, I closed VMWare Workstation 8 and started it again running it “As Administrator”. It was a permissions issue accessing the physical disk, and running as Administrator fixed it.

    Reply

  13. Johan S

    June 12, 2013 at 4:54 am

    I solved it, I was not system admin. Thanks for a GREAT tutorial!

    Reply

  14. Johan S

    June 11, 2013 at 11:01 pm

    Hi! Im stuck again. After mapping the “harddrive” with VM Ware as explained it shows in windows explorer, but it does not show in disk management and it does not show through regedit, so I can not choose the sytem file in it. I guess that some of my computer settings are not right. I would be wery happy if you could help me out again. Thanks for great information!

    Reply

  15. Johan S

    June 10, 2013 at 5:56 am

    Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on this page.

    Reply

  16. Alan

    March 4, 2013 at 12:49 pm

    I have the same problem as Diego. My image is a raw, dd image that opens fine in WinHex Specialist. I made changes to the number of sectors and to the image file name in your template. I saved the file as a vmdk. I do not think I made a mistake.

    Reply

    • jimmyweg

      March 4, 2013 at 4:41 pm

      Hi, Alan. The “The file specified is not a virtual disk” error typically indicates a problem with your vmdk or an issue with your image. If you want to send the vmdk to me, email it to jweg mt. gov. In WinHex, click on the physical image and send the Technical Details Report, too, if available. Make sure that your vmdk file is in the folder with your image. Check that no commas are in any numbers, e.g., sectors. Double check that you named the image correctly in your vmdk. Check your math for number of cylinders.

      Reply

      • Alan

        March 4, 2013 at 5:48 pm

        Thanks for the offer to troubleshoot it. I’ll send it to you. I double checked all that you suggested so I am hoping you can shed some light. BTW, I hate captchas.

        Reply

        • jimmyweg

          March 4, 2013 at 8:05 pm

          Sent you an email. I also hate Captchas, but you can’t believe how many spam comments I was getting. I wish that there was an alternative, and I do use other blockers.

          Reply

  17. Hans Marius

    March 1, 2013 at 4:08 am

    Hi,

    Iam trying to bring up a machine from E01 file.

    You are using MyImage.001 in the vmdk file, but what should I type there when trying from an E01 file?

    Reply

  18. windows xp startup programs

    February 2, 2013 at 3:27 pm

    Howdy! I just wish to give you a huge thumbs
    up for the great information you have got here on this
    post. I am returning to your blog for more soon.

    Reply

  19. Brian

    January 22, 2013 at 2:18 pm

    Jimmy, what is required to get an XP image to boot up in the same manner? Thank you for your time.

    Reply

  20. Diego

    December 17, 2012 at 8:48 pm

    I followed all steps with VMWare 8.x, but when I navigate to the vmdk file and click next I get the error: “The file specified is not a virtual disk”. I tried creating another VM and check the contents of the generated vmdk file, it contains some weird characters at the beginning and the end, but the file I made manually doesn´t. What could be the problem?

    Reply

    • jimmyweg

      December 18, 2012 at 8:29 am

      That usually means that your vmdk file contains an error or the wrong type of virual disk. Are you trying to create a vm from a dd image If you’re trying to create a VM from an E01 or mounted disk, you want to open the vmx file after you follow the steps in mypost on E01s.

      Reply

  21. Brian

    December 14, 2012 at 5:19 am

    Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on thi spage.

    Reply

  22. Phill

    November 9, 2012 at 4:27 am

    How did you figure out that you have to modify the registry?
    And do you know why setting the registry key to 0 seems to get it to work?

    Reply

    • jimmyweg

      November 9, 2012 at 9:17 am

      First, Vista/7/8 VMs prefer SCSI disks. If you simply create one from scratch, SCSI is the default. As many have found, leaving an IDE drive in place usually results in a BSOD. IIRC, it’s a Stop 0x0000007B error, which should be a driver issue. It took a bit of testing and trial and error. The issue/conflicts doesn’t arise with a SCSI disk/drivers. But, the target system probably doesn’t use a SCSI disk, so it won’t load the driver at boot. Vista/7/8 include the LSI SCSI drivers, but we have to make them load at boot. All that takes is editing the driver’s Start value data to 0x00. Thereafter, the SCSI drivers will load at boot and the system will recognize your SCSI disk. Per MS, these are the available value data for Start values (summarized):

      0x0 Part of the (Boot) driver stack for the boot (startup), loaded by the Boot Loader.
      0x1 Represents a driver to be loaded (System) subsystem at Kernel initialization.
      0x2 To be loaded or started (Auto load) Control automatically for all startups,
      0x3 Load on Control but will not be started until demand, for example, by using the Devices icon in Control Panel.
      0x4 NOT TO BE STARTED UNDER ANY CONDITIONS.

      Reply

  23. Stephane Denis

    October 12, 2012 at 1:32 pm

    Good stuff Jimmy!

    I didn’t like having to modify the registry though so I used:

    ddb.adapterType = “ide”

    in the vmdk file to avoid it.

    Thanks!

    Reply

    • jimmyweg

      October 12, 2012 at 5:29 pm

      Thanks, Stephane, I’m glad you found my post useful. Typically, Win7/Vista in VMware like SCSI drives, and XP uses IDE. However, if your VM boots, it doesn’t matter. If you have to strip a password and you use my approach for that, you have to mount the disk and edit the registry anyway. Even if you boot with a password-stripper disc, it edits the SAM, too.

      Reply

  24. Jason

    September 19, 2012 at 9:17 pm

    Great Job here! Thanks so much for the step by step guide. Very informative.

    Few questions.

    Following the guide from ‘Creating a VM from 01 Images’ I was able to get a Win 7 64bit image to boot, but only once. After I shut it down and restarted it I keep getting the BSOD. I tried deleting everything and starting over but still had the BSOD. Anything changing outside of the files created in target directory, like in the VMWare Workstation folder/files? Any other thoughts on this?

    Also in this post in the section about editing the registry of the mapped image it says ‘In the next step, we’re going to edit the registry of our VM (we don’t do this in XP)’ What do you mean ‘we don’t do this in XP’. Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?

    Thanks again!

    Reply

    • jimmyweg

      September 20, 2012 at 8:19 am

      >After I shut it down and restarted it I keep getting the BSOD.

      If it boots once, it should boot indefinitely, absent something that went wrong in the VM guest. If it BSODs again, don’t do anything until you mount the virtual disk and recheck the registry to be sure that the LSI SCSI Start=0x00. If it reverted back to its original state, perhaps try taking another snapshot after you re-edit the registry. Maybe you somehow set the disk to non-persistent, although I don’t think that you can do that.

      >Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?

      Correct, you don’t. XPs usually don’t come with the native LSI drivers, anyway. You build an XP VM with the standard IDE disk. Then, to get it to boot, you’ll have to do a Windows repair in mnost cases. I can do a post on that if you think it would help a number of folks.

      Reply

  25. jbscarva

    September 14, 2012 at 10:32 am

    Excellent. Thanks very much!!!!

    Reply

  26. Nadine Haven

    July 27, 2012 at 9:39 pm

    Thanks for the amazing info. I find these posts have a lot of material. I can’t wait to get a chance to impliment all these great posts. Thank you very much.

    Reply

  27. Michael Beagle

    July 23, 2012 at 7:15 am

    Outstanding work. Ditto Mr.O’Sullivan’s Comments. Bookmarking and sharing (if you don’t mind).

    Reply

  28. William O'Sullivan

    July 16, 2012 at 8:36 pm

    Excellent article and explanation. Thank you!

Tags:
185 Hits
0 Comments