In this step we’ll add our target system virtual disk to our SEAT VM. We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.
Add Virtual Disk
As you saw, we chose to add the disk as an independent disk in non-persistent mode. Any changes to the disk are discarded when we power off our SEAT VM. Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM. Nothing within the shadow volumes will be changed. Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.
When you add the disk, VMware may present a box that warns of a hardware compatibility issue. If my SEAT VM was created in an earlier version, I’ll get the following warning.
If you encounter this, change your SEAT hardware compatibility as in the video. Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8). Choose Alter this virtual machine as your last step.
We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam. In Windows, we can see our target system as Volumes E:, F:, and G: Your volume letters may differ as may the number of partitions on your target.
A little exploring reveals that our target’s system partition is Volume F: While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item. Pausing the VM freezes the action. So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work. Remember, too, that the VMware Snapshot feature is your friend.
The first thing that I do is write protect the target system disk. Even though the disk is non-persistent, it can be written to during our session. It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes. To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7. In the next video, I’ll step through the process. We’ll begin at the point where I entered the Diskpart shell.
To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot. Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware. Otherwise, you simply can use the Pause feature. Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.
That’s it for now. In the next post, I’ll get down to mounting and accessing the shadow volumes. Thanks for visiting!
Hello, great series and info. Have you experimented with using the SIFT to make all .E01, .AFF or .RAW images available to the Windows Forensic box for Volume Shadow analysis? I have found it to be extremely quick to set up and reliable (takes about two minutes). Successive exams are faster to setup. Corey Harrell did a posting on how to do that here: http://journeyintoir.blogspot.com/2012/05/more-about-volume-shadow-copies.html
>Have you experimented with using the SIFT
I haven’t. I do have SIFT, but I’m kind of linux-averse. It’s great stuff, but I like my GUI. I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment. As I mentioned, I can make this work with E01s, but it’s a little more work. I started down this road because I received quite a few remarks about problems with EnCase PDE and LiveView. I don’t use EnCase, so I can’t attest to any issues, but I did play with LiveView and prefer my “hand-built” approach. My aim, which will become a little clearer as I progress, is to do a SV exam with X-Ways Forensics. You can use any tool as long as it will run in a VM. For that matter, you can do the same thing directly in the running VM of the target that we bulit in my first post. XWF can be run from a thumb! You also can add the target virtual disk directly to SIFT through VMware. You’ll have to let me know what you think as I proceed. Thanks.
>I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment.