Posts Tagged ProDiscover Basic
I was given the task of trying to figure out how to boot a spanned DD image file as a virtual machine in the software of my choice. It was an old image of a Windows 2000 machine that was spanned in 650MB blocks, a total of 10 files. I originally tried converting each segment into the VirtualBox VDI file just to see if I could get something usable, but that wasn’t successful. I looked online for 40-45 minutes trying to figure out how to merge all the segments into one file. I had no luck at all with that, but I did get another idea because of a previous assignment in this class (computer forensics).
What I ended up doing was mounting the spanned image on my machine as another “disk” on my computer. I then used ProDiscover Basic to capture an image of the “disk” – essentially capturing an image of an image. I then used Virtualbox’s command line tool to convert the new DD image file into their virtual hard drive file, a VDI.
Software used: Mount Image Pro, ProDiscover Basic, and VirtualBox. Mount Image Pro is only a trial version, but it will work perfectly for this. This is meant for students of my class who already have access to a demo version of ProDiscover Basic. There may be free alternatives out there that can do the same thing and can probably be swapped out easily for those steps.
Here are my steps, with lovely screenshots.
Open Mount Image Pro, click the mount button, click on add image. Browse to where your image is located and select the first file in the span and click open.
After you click on the Mount Disk button a window will pop up where you can select some options. The only way I got this to work was telling it to mount as physical and logical. I left the other 3 options as default.
After it has mounted you may see in the window that there are multiple partitions.You’ll want to pay attention to the As column and in this case, the one called PHYSICALDRIVE2 in my example.
Now open ProDiscover Basic, cancel the prompt to start a new case if that comes up, go to the action menu and click on capture image. In this box you’ll want to select PHYSICALDRIVE2 as the source drive, choose the destination to save the file, and most importantly, choose the UNIX style DD format. Click OK and walk away for a few minutes while it captures the image.
After the image has been captured the next step is to use the VirtualBox command line tool to convert it into a VDI file. I find this to be easiest if you move or copy the DD file into your VirtualBox program files directory (C:\Program Files\Oracle\VirtualBox is the default path). If you don’t put the file in that directory you’ll have to type out the entire path so the tool knows what file to convert.
Open a command prompt. Change the directory so you are in your VirtualBox installation directory by typing:
cd c:\program files\oracle\virtualbox
Now comes the command to convert the file into VDI format.
vboxmanage convertfromraw filename.dd newfilename.vdi
Hit enter and let it do its thing. Once it returns a blank line it’s done.
Now you can cut and paste the DD and the VDI files into whatever directory you want. Open VirtualBox and go through the prompts to create a new machine like you would any other time. Instead of having VirtualBox create a new disk you’ll just tell it to use an existing disk and choose the VDI file.