The process of converting a full physical acquisition of a hard disk into a fully functioning virtual machine (VM) has been covered many times. Probably, because interacting with a machine the same way that your suspect did just prior to the machine being seized, is a technique that in my opinion although underused is still very valuable. There are things that can be learned about the habits of your suspect that may only be discovered by taking the time to look at your seized data in a live manner.
To accomplish this, one tool that I still hear people talking about on the Windows side is LiveView. At the time that I tried using it, the tool required that a raw image of the disk be used. This meant taking the time to convert your E01 to a raw image, which took time and wasted space.
Alternatives to LiveView, are discussed in great detail by Jimmy Weg, on his blog justaskweg.com. Jimmy even wrote an article on going from a write blocked drive to a VM, which I found very useful.
Lucky for us, going from a write blocked drive to a VM can also be accomplished in Linux, and is something that I have discussed and covered previously.
In this article, I want to talk about booting a disk image of a Windows 10 machine. For the purposes of this article I used a live Linux distribution of LosBuntu. LosBuntu is our own Ubuntu 14.04 distribution that can be downloaded here.
The plan is to use a live version of LosBuntu and boot your machine from it. Whether you boot LosBuntu from a DVD or a flash-drive, the process should be the same. Select a machine that is powerful and has plenty of ram. Aside from the fact that LosBuntu already has xmount installed on it, another benefit to using a live distribution is to accomplish complete segregation. Any malware that you catch or any action that you wished reversed can be dealt with by simply shutting down the machine.
Installing the Tools:
The tools that we will be using during the process are xmount and VMware Workstation Player 12 (VMware). Xmount comes preinstalled in the Live version of LosBuntu, but if you choose to install it yourself, find it here https://pinguin.lu/pkgserver. VMware can be downloaded free here.
To install VMware, issue the below command. When prompted, enter the root password, which is “mtk” without the quotes.
$ sudo bash VMware-Player-12.0.1-3160714.x86_64.bundle
Use the VMware installer graphical user interface to complete the installation.
To illustrate the steps of converting a disk image of a Windows 10 machine to a VM, I will be using a previously acquired disk image of a Windows 10 operating system from a 512GB SSD that I use for testing.
The acquisition of the disk was done using the E01 format with best compression and 4000mb chunks. The image compressed down to about 33GB spanned into 8 different segments. Due to the compression, the disk image is only occupying 33GB worth of space, rather than 512GB had we used the RAW format during acquisition. That is a lot of saved space, thanks to the compression! Great.
Let us now turn our attention to the point of the write up, converting this E01 to a virtual machine. To accomplish this feat, we are going to summon the powers of xmount. Xmount is a very powerful tool written by Dan Gillen. The tool that has the ability to convert on-the-fly between multiple input and output hard disk image types. In other words, xmount can take our E01 image and convert it to a raw image (DD), on-the-fly, all while maintaining the integrity of the data.
Xmount can also turn a DD or an E01 into a VMDK (VMware virtual disk), and redirect writes to a cache file. This makes it for example, possible to use VMware to boot an Operating System contained in a read-only DD or E01 image.
For us to pull off the trick of turning an E01 into a VM, we are going to pass xmount the following instructions. Enter this command into the terminal:
$ sudo xmount --in ewf Win10.E?? --out vmdk --cache /mnt/cache/win10.cache /mnt/vmdk/
Xmount is the command to crossmount, --in ewf lets xmount know that we are passing it an image using the E01 format, Win10.E?? is the E01 image. In this example we have more than one segment so we must use “E??” as the file extension, to specify the segment files. --out vmdk tells xmount to convert the E01 to a VMDK, --cache /mnt/cache/win10.cache is the name of the cache file that will store all of the writes being written by the operating system, and /mnt/vmdk/ is a previously created mount point for the vmdk file. Sudo gives xmount superuser privileges for the operations.
If you received your prompt back without any errors, then it may be safe to assume that you issued the correct command. At this point, you now have the E01 converted to a vmdk, that is ready to be opened in VMware.
Now, fire up VMware and go through the process of creating a Windows 10 VM. This write up assumes that you know the process, so we will not bore you with steps of how to set up a VM. If needed, a web search on the topic will reveal multiple articles on accomplishing that specific task.
As you go through the process of creating your Windows 10 VM, I would recommend that you give the VM 4GB of ram and 2 cores. I would also recommend that you un-check the box labeled “connect at power on” for your network adapter. This is your call, but I choose not to allow suspect machines to connect to the internet.
Finish, setting up your machine and get back to the home screen
We are almost ready to fire up the machine. But before we do that we have to do some final tweaks. An important one is adding the vmdk file to the virtual machine. Click on “edit the virtual machine settings” and remove the disk assigned to the VM.
Add the vmdk file that we previously mounted to /mnt/vmdk/
Lastly, we need to edit the vmx configuration file so that VMware knows that it needs to get ready to handle an image containing GPT/UEFI settings. This is a very important step. If you omit this step, you will likely get a “no operating system found” error. Open the vmx file with your favorite text editor and add a line at the bottom of the file that reads firmware = “efi”
Once this is done, go back to Vmware and start your VM.
If everything went according to plan, you should now have a fully functioning VM, revealing all of the settings and unique configurations issued by your suspect to his/her machine. Feel free to navigate to your hearts content. Any edits that you make will be written to the cache file and will survive reboots. If you need to edit the registry, go ahead, the cache file will save the edits. Feel free to take screen-shots or do anything that you need without having to worry about changing the integrity of the image. No changes will be made to the image as E01's are read-only files. When you are done with the machine, shut it down. If you used LosBuntu as a live distribution, then the OS on your internal drive will also be untouched.
And there you have it.
This is a completely free and quick way to see your suspect's system in a live manner, all while preserving the integrity of your data. If this procedure helped your investigation, we would like to hear from you. You can leave a comment or reach me on twitter: @carlos_cajigas