Every now and then, I get email from readers who have difficulties, and some areas come up more often. I also learn a few things as time goes by, and I gain some valuable pointers from colleagues who share my interests. Therefore, I want to update or amend a few procedures as well as review some of the more basic steps that folks may overlook.
1. Building and booting EUFI/GPT systems and remembering the registry edit
A little while back, I posted on building VMs from UEFI/GPT systems, found most often in Windows 8. Since then, I’ve seen more of these outfits arrive in my shop, as the use of Windows 8 and large disk grows. If you document your target system before an exam, which requires accessing the setup in most cases, you’re sure to recognize that the setup doesn’t resemble the BIOS of old. There’s a sample screenshot in the above post. Even if you dive straight away into your exam, you’ll find a clue when you study the partitioning of your target image file:
X-Ways Forensics users will receive the answer to the clue without having to guess. The GPT partitioning style with the four partitions, including the MS reserved partition, mean that you have a UEFI system. The FAT32 partition likely holds your EFI boot data: