tinyapps.org / blog

Convert raw disk image or physical disk to virtual machine #

"Live View is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk. This allows the forensic examiner to 'boot up' the image or disk and gain an interactive, user-level perspective of the environment, all without modifying the underlying image or disk. Because all changes made to the disk are written to a separate file, the examiner can instantly revert all of his or her changes back to the original pristine state of the disk. The end result is that one need not create extra 'throw away' copies of the disk or image to create the virtual machine.

Live View is capable of booting Containing the following operating systems Behind the scenes, Live View automates a wide array of technical tasks. Some of these include: resolving hardware conflicts resulting from booting on hardware other than that on which the OS was originally installed; creating a customized MBR for partition-only images; and correctly specifying a virtual disk to match the original image or physical disk."
Related projects: UPDATE: In my testing, Live View 0.7b / VMWare Server 1.x (2.x not supported by Live View) on a Windows 7 64-bit host did not work, even after trying a number of suggestions in the forums.

Switched to a Windows XP host, and successfully tested with a raw disk image of an XP install. However, attempting to use a partition image instead of a full disk image resulted in the following error on boot:
   A disk read error occurred
   Press Ctrl+Alt+Del to restart
Apparently the MBR is not being written correctly, or perhaps VMWare just doesn't play well with images created from partitions.

Finally, I tried using an IDE drive (Windows XP installed) with two different USB and Firewire bridges, but that also failed:
   ERROR>     Snapshot Creation Failed
   ERROR>     Problem preparing partition1 for launch
   VM Launch Failed
tl;dr: Windows XP is well-supported as a host, but you may not be able to work with anything other than full disk images.

/windows | Jun 18, 2010

Subscribe or visit the archives