By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
After a colleague posed a question about building VMs from RAIDs, I thought it might be a good topic for a post. I won’t go into RAID basics, as you probably have a good grasp of that topic already if you’re visiting my site. The RAID systems that I see most often are RAID 0s, insofar as the system disk is concerned. We’re not concerned about a box that contains a system disk plus any variety of RAID.
In addition to being RAID 0s, the systems that are most common in my shop contain two disks. Frankly, I’d be a little hesitant about building a system on a RAID 0 with more disks because of the lack of fault tolerance. For our purpose, it really doesn’t matter. In fact, we can build our VM from a RAID 5 or even some versions of RAID 6, if we use the world’s leading forensics tool, X-Ways Forensics (XWF). For this demo, I’m going to use a two-disk RAID 0. The first step is to create an image of each disk. For the original images, the format is irrelevant. I say “original” because we’re going to create another image later.
As in most cases with XWF, there are a few (X) ways to approach a task. Let’s say that you don’t know whether you have a RAID, so you simply add your images to your case, as in the following video.
We now have two raw disks in our case. XWF also advised us that disk structure implies that a RAID may be present (the MFT message indicates the possibility of an implausible file record and likely is of no consequence). A little exploration will confirm that a RAID is present, so we can proceed to reconstruct the RAID.
When we add disk images to our case, XWF intuitively offers them as physical and/or logical disks in further tasks, as in the Select Disk box that we saw in the video. We see that our original disk images remain in our case, but it’s really not necessary to keep them. In fact, we didn’t have to add them when we created our case. For example, during the original imaging process, we could take a look at the original disks through our write blocker and determine that we have a RAID 0. After imaging, we can mount each image as a physical disk with FTK Imager or the tool of our choice.
Note that our image files are mounted as PhysicalDrive9 and PhysicalDrive10. We can now create a case in XWF and reconstruct a RAID right from the start, without adding images or media.
We begin by reconstructing a RAID, just as we did before. We’ll see that Disks 9 and 10 are offered as candidates for RAID reconstruction. After reconstructing the RAID, we’ll add it to our case through the context menu, as before. Note, however, that we must have our images mounted as disks to access our XWF case in the future. In the previous method, our image files usually are always in place.
You may recall that I mentioned stripe size in terms of sectors. Many of us are accustomed to referring to stripe sizes in terms of kilobytes, e.g., 128KB, which is a common stripe size for RAID 0s. XWF requires stripe size to be expressed as a number of sectors. It’s easy math to determine sectors by dividing the number of bytes by sector size, which usually is 512 bytes (but could be 4,096 bytes these days). Also, “bytes” mean the exact number: 128KB=131,072 bytes, so 131,072/512=256 sectors. Determining the correct stripe size may take a little research or trial and error.
We now can work our case in XWF as we would with a typical single-disk case. If we want to build a VM from our image files, we should create a new image from the physical, reconstructed RAID. From the XWF File menu, we select Create Disk Image, and XWF will present the following option box:
In the case tree, our RAID 0 is highlighted, and the viewer window is in Disk mode. My Create Disk Image options box is set to create a Raw (DD) image of the physical disk, which is our RAID 0. Once the image is created, we can create a VM from the image as we would with any image of a single disk system. Is that’s easy!
We’ve come to the point where we can conduct a rather complete exam of shadow volumes using dd and E01 image files. Let’s say that we don’t need to do such a complete exam. For example, we’re confident that one, particular folder may contain previous, unrecovered copies of a small number relevant files. Maybe we’re looking for one file in particular. In those instances, we may not need to mount the shadow volumes.
We can accomplish this task in either our SEAT workstation, in which we added a virtual disk of the target system, or in a running VM of the target. The latter approach is required for E01 images and optional for dd image files. You also can accomplish this with the VHD method that I presented earlier. The approach is the same regardless of which method you choose. Remember, however, that using a “live” VM of a system runs the risk that the system will delete old shadow volumes. The risk can be overcome, but keep it in mind.
To demonstrate the procedure, I’m going to use my SEAT workstation, in which I added a virtual disk.
It’s that easy! Note, too, that you can invoke Windows Previous Versions on almost any file or folder.
In my example, no previous versions existed. If they had, we would have seen a list of earlier versions by date. We then could open and examine any available version of the file. Should you find files of value in the approach that I presented, you can copy the files from the VM to your host system. Copying is seamless if you install VMware Tools in your VM. Otherwise, you can enable a shared folder with your host. Any such copy operation, however, is not a forensic recovery, so consider whether it suits your needs.
Now that we have a quick and easy approach to a limited review of shadow volumes, don’t become too accustomed to using it into the future. Windows 8 seems to have done away with the Previous Versions aspect of the Volume Shadow Service. In my tests of the latest Windows 8 Enterprise edition, it’s gone, and I believe that this has been confirmed on MSDN or similar forums. We can take heart, however, in the fact that shadow volumes remain; at least for the time being.
Eric Zimmerman and Brett Shavers have started writing the "X-Ways Forensics Practitioner's Guide", due out toward the end of year 2013.
Check back as to when the guide will be available. This guide intends to be the source of using X-Ways Forensics.
We’ve built our SEAT VM and added our target image to it as a virtual disk. The first thing that I do is verify that all of the shadow volumes are present. My first post presented a screen shot from the image file (MyImage) and depicted the shadow volumes. We can compare the shadow volumes from the image file with those in our VM. The following video presents the steps we use to enumerate the shadow volumes with the native vssadmin command run from our administrative command prompt.
The screen populates quite quickly, but the point is that we can identify the number of shadow volumes and their respective creation dates. To make it easy to copy, here’s the syntax: vssadmin list shadows /for=[your target volume letter followed by a colon]. Note, too, that your beginning shadow volume number will be different from mine and does not necessarily start with the number one. Another trick is to re-run the command and export the output to a text file, by adding a space at the end followed by >[path to your text file] [name of text file]. Creating a text file is handy for documenting your findings and for copying the shadow volume names, which we’ll do later.
Now we can mount any or all of our shadow volumes for examination. We’re going to use VSS, which is a free, command line tool written by Dan Mares, who is a creative, long-time forensic software developer and examiner. Dan also has developed free tools that are adjuncts to X-Ways Forensics and which help users customize certain reports. You can pick up a copy of VSS at http://www.dmares.com/pub/nt_32/vss.exe. Be sure to check for updates, as Dan is great about implementing suggestions. You’ll also want to check out his other tools. http://www.maresware.com/. Thanks, Dan!
There are a few of ways in which we can use VSS. We can mount one shadow volume; multiple shadow volumes that are numbered consecutively; or multiple, non-consecutive shadow volumes. The following screenshot displays the syntax.
We already have a list of shadow volumes produced by vssadmin. It’s now a matter of selecting the correct volume to provide to VSS. Let’s go back to an abbreviated view of vssadmin’s output. 
The screenshot identifies one shadow volume. It may not be terribly clear, but the shadow volume path is \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5. We’ll feed that path to VSS and mount the shadow volume. We need only choose an unused volume letter, and we’ll pick H:
After executing the command, VSS will prompt us to hit <Return> one more time and then present what the screenshot depicts. It includes the root directory listing. Our shadow volume (#5) now is mounted as Volume H: You can repeat that process and mount any, or as many, shadow volumes as remaining drive letters permit.
Hint: to repeat the process, use your up-arrow and simply replace the volume letter and shadow volume number (#), i.e., ShadowCopy[#]. There is no need to copy/paste the entire path repeatedly.
Next, we’ll mount a range of shadow volumes. First, let’s look at the syntax, which is provided in VSS’ on-screen help.
We can start with a given shadow volume and mount every shadow volume that follows, up to our choice of the last shadow volume number. In our case, there are 19 shadow volumes and the first is #5. (I haven’t researched the question of why shadow volume numbers often start at a number greater than #1, but it doesn’t appear that it’s because there were X previous ones. Windows authority Troy Larson probably knows!) Before we go forth, I want to point out that you should study the dates of the shadow volumes in relation to your case. Several restore points can be created on the same day, perhaps within hours of one another. You’ll cut your exam and VM overhead if you exercise some judgment in picking the shadow volumes to mount and examine.
For demonstration purposes, let’s mount them all. I’ll start with no shadow volumes mounted and enter, vss h: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 23 AUTO. Note that AUTO is upper case. The first shadow volume is #5, and the last is #23. Watch:
Actually, it was coincidental that I happened to have 19 shadow volumes and 19 open, consecutive drive letters 
To unmap any or all of our shadow volumes, we proceed as in the following screenshot. I’ll unmap them all.
Following the VSS command, you enter every volume letter, followed by a colon, which you want to unmap. If unmapping seems to hang, just refresh your screen in Explorer with F5.
That’s it for this post. Next time, I’ll demonstrate one or two exam approaches with X-Ways Forensics. In the meantime, if you get bored, you’re all set to examine your shadow volumes with any tools that you wish to install in your SEAT workstation.
[…] shared it. In fact, I initially used information from his 13 Jul 2012 blog post entitled Mounting Shadow Volumes to mount the VSC of interest as a RAM disk on my analysis system. At the time that I did […]
[…] where Jimmy’s blog post on mounting shadow volumes can into play. Using vss.exe, I added the VSC in question to my analysis system as X:, which […]
Windows forensics (A.Carvey) | Jacques DALBERA's IT world
[…] where Jimmy’s blog post on mounting shadow volumes can into play. Using vss.exe, I added the VSC in question to my analysis system as X:, which […]
Raffael
Jimmy,
How do you examine VSS on deleted/recovered partitions?
jimmyweg
I’ll have to guess, as I haven’t done that. First, I’ll say that you can’t examine deleted shadow volumes, AFAIK, and I tried. For example, you can recover a deleted SV and copy it into the Sys Vol Info directory. That doesn’t work, and may screw up the shadow volume service. Remember that the SVs are difference files, and the “index” has to track the SVs as a whole to rebuild things. Throwing in a “foreign” SV seems to mess up the system.
If you can recover a deleted, intact partition, I suspect that you can image it and create a VM or VMware virtual disk from the image. If you can do that, you can probaly add it to your SEAT workstation and see whether the VSS can rebuild the SVs. You also may be able to rebuild the entire physical disk (image) and boot the previously deleted partition.
Cal
Hi, nice blog!
What about an old snapshot of the same, working partition? I mean, every once an older shadow copy is deleted to create a newer one, due to space constraints to the VS service; however, sometimes a deleted snapshot can be recovered with a raw access to the disc, and .LOG# files in Sys Vol Info dir should hold some infos on syscache.hve changes.
I wonder if there is a mean to verify integrity of such a recovered shadow and to access it.
jimmyweg
The snapshots depend on linking. After deleting snapshots within a VM, VMware typically has no problem with running the VM from any given snapshots. Forensic tools, however, may be unable to mount the successive snapshots because of linking issues, I suspect. I’ve found it rather difficult to gather much any data from deleted (recovered) VSC, because the dependencies are lost.
I’m really enjoying and learning a lot these tutorials, Jimmy. Thanks for sharing!
KP
Raffael
Hi Jimmy
Thanks for your work!
I usually mount disks with Encase PE. This allows to access VSC directly in my workstation (no vm). This approach does not work if you use Ftk Imager or Mount Image Pro .
Looking forward to reading more of your posts!
Raffael
jimmyweg
Thanks very much, Raffael. Correct, mounting with FTKI or MIP will not provide access to the SVs. I don’t use EnCase, so I can’t speak to this feature, but it does seem handy. Another approach, which I’ll describe in a leter post, is mounting a VHD image. The drawback is that you have to create a VHD. If you do, however, you can access the SVs right from your host system.
Jimmy,
I’m not sure how I follow that creating a VHD is a “drawback”, per se. Analysts work on a copy of the acquired image, and not the original “evidence”, and the free tool available from MS simply appends a footer (less than 1K) to the image in order to turn it into a VHD. Once you’ve done that, you can still access the acquired image via FTK Imager, etc.
Thanks for posting this information…it’s great to see more of this sort of thing making it into the public view. Keep it up…
jimmyweg
Thanks, Harlan. Yes, converting the dd to VHD actually is quite simple with VhdTool. In my approach, I use the original image, which is not altered. If I want to convert the image to VHD, I guess that I would make a copy for that purpose, unless you can convert the VHD back to dd, but then you’d want to hash the original again. So, although I do have one or two backups of every dd (as E01) image, having to make another to convert to VHD is something I’d rather avoid. You can build your VMware device in less than one minute. Perhaps someone may develop a tool to image a medium directly to VHD with the approriate verification, something like E01. AFAIK, that’s not do-able at the moment.
Well, you may miss out on traveling on the client's dime, but your client will be happy (that's the goal anyway, isn't?).This may not be good news for anyone wanting to make easy money with travel, but in the long run, your clients (and boss perhaps) will appreciate the savings and speed at which this can be done. You'll also be to get more done in a shorter period of time. That is a good thing.
In this step we’ll add our target system virtual disk to our SEAT VM. We already have the target (MyImage) virtual disk that we created, and we’ll add it to our system as in the next video.
Add Virtual Disk
As you saw, we chose to add the disk as an independent disk in non-persistent mode. Any changes to the disk are discarded when we power off our SEAT VM. Actually, as we’re going to examine shadow volumes, we’re not too concerned about routine changes that our operating system may make to volumes attached to our SEAT VM. Nothing within the shadow volumes will be changed. Remember, we’re not out to do a general exam; for that we can use our favorite tools on our image file.
When you add the disk, VMware may present a box that warns of a hardware compatibility issue. If my SEAT VM was created in an earlier version, I’ll get the following warning.
If you encounter this, change your SEAT hardware compatibility as in the video. Your hardware may differ from mine, but I bring my hardware up to my current version (Ver. 8). Choose Alter this virtual machine as your last step.
We’re ready to boot our SEAT workstation and get our target ready for a shadow volume exam. In Windows, we can see our target system as Volumes E:, F:, and G: Your volume letters may differ as may the number of partitions on your target.
A little exploring reveals that our target’s system partition is Volume F: While the last screen shot is right above us, I want to point out a very handy feature of VMware, which is the Pause button. You can see it in the screen shot as the two, vertical bars right below the File menu item. Pausing the VM freezes the action. So, if you have a number of tasks underway and don’t want to shut down your SEAT VM, just pause it until you want to return to work. Remember, too, that the VMware Snapshot feature is your friend.
The first thing that I do is write protect the target system disk. Even though the disk is non-persistent, it can be written to during our session. It’s also possible that the volume shadow service may delete one or more of the target’s shadow volumes. To write protect our target, we’ll employ Windows Diskpart, which is a command line tool that’s part of Windows 7. In the next video, I’ll step through the process. We’ll begin at the point where I entered the Diskpart shell.
Diskpart
To exit Diskpart, simply type the command exit. Note that the write protection survives a hot or cold reboot. Nevertheless, you don’t have to shut down your SEAT VM, unless you want to make certain changes to its configuration in VMware. Otherwise, you simply can use the Pause feature. Should you want to remove write protection, go through the steps in the video, but enter the command attributes disk clear readonly as the final command.
That’s it for now. In the next post, I’ll get down to mounting and accessing the shadow volumes. Thanks for visiting!
Gerald
Jimmy,
Hello, great series and info. Have you experimented with using the SIFT to make all .E01, .AFF or .RAW images available to the Windows Forensic box for Volume Shadow analysis? I have found it to be extremely quick to set up and reliable (takes about two minutes). Successive exams are faster to setup. Corey Harrell did a posting on how to do that here: http://journeyintoir.blogspot.com/2012/05/more-about-volume-shadow-copies.html
jimmyweg
>Have you experimented with using the SIFT
I haven’t. I do have SIFT, but I’m kind of linux-averse. It’s great stuff, but I like my GUI. I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment. As I mentioned, I can make this work with E01s, but it’s a little more work. I started down this road because I received quite a few remarks about problems with EnCase PDE and LiveView. I don’t use EnCase, so I can’t attest to any issues, but I did play with LiveView and prefer my “hand-built” approach. My aim, which will become a little clearer as I progress, is to do a SV exam with X-Ways Forensics. You can use any tool as long as it will run in a VM. For that matter, you can do the same thing directly in the running VM of the target that we bulit in my first post. XWF can be run from a thumb! You also can add the target virtual disk directly to SIFT through VMware. You’ll have to let me know what you think as I proceed. Thanks.
Gerald
>I’m curious about the iSCSI approach, and perhaps it will work in my Windows-based VM. I’ll have to experiment.
Absolutely it will work to access VSCs. Just make sure your Win forensic box is on the same subnet as the SIFT workstation. Send me an email at This email address is being protected from spambots. You need JavaScript enabled to view it. and I will send you back a short PPT on the method. Should save you a bit of experimenting time.
We now have built a virtual machine from an image of the target system. Next, we’ll build a Windows 7 VM and configure it as our examination platform: Shadow Examination and Analysis Technique (SEAT) workstation. Building the VM basically is the same as installing a operating system from scratch, and I’ll go over the basic steps in the following video.
Build Base VM
I installed Windows 7 Ultimate 64 from a DVD, but you can use an ISO instead of a disc. I have a library of operating systems on ISOs, as they come in handy. Please be mindful of licensing requirements. I didn’t install a network adapter, but will do so later. I use as much RAM as I can afford, and you can experiment. RAM can be adjusted from a powered off state. I like using a single, growable disk for my VM. For the most part, I set up the system as I like. I turn off User Account Control, but we must leave System Protection enabled. I also set my folder view options to allow access to hidden and system files. Remember that you can use snapshots to protect the state of your VM. Below is a screenshot of my VM. I keep my frequently used tools on the desktop. Be sure to include a shortcut to the command prompt, and be set it to run in administrator mode.
For you X-Ways users, you can configure your options as you do normally. Be sure, however, to set the option to run XWF as administrator by default, and allowing multiple instances is suggested. Remember that XWF, as most forensic suites, is USB dongle based. When you want to work with XWF in your VM, you must connect the dongle to the VM as in the image below.
If you have more than one Feitian dongle as in the screenshot, you’ll have to experiment to find the correct dongle. Then, connect it to the VM (Disconnect from host). Note that, if XWF is running in the host system, it will become aware that the dongle was disconnected and issue a notice. The easiest thing to do is close the host instances of XWF before you work in the SEAT application. Of course, if you have more than one dongle, you can work simultaneously in both environments. Note that you can install any USB devices that you wish by using the same procedure.
Note, too, that our SEAT workstation is portable. At the moment, my VM is about 18GB, so it’s easily copied to another forensic workstation or USB drive. In the next post, I’ll review how we mount the target VM in out SEAT workstation and begin an exam.
Derek Frawley
Thanks for the vm creation tutorial.
Do you have anything that will show how to do with E01 file(s) or multiple raw files.( as mentioned in the tutorial) Most of the images i have are E01 and takes too long to re-image.
jimmyweg
I’ll add a post on E01s this weekend, if I have time. In any event, I’ll do that next. Thanks for the comment and suggestion!
Jimmy
http://JustAskWeg.com/
Scott Koehle
Great Stuff, Jimmy. Thanks for taking the time to put this website together. Very Helpful.
Scott Koehle, CFCE
Altoona Police Department
1106 16th St
Altoona, PA 16601
814-932-2588
jimmyweg
I’m glad that it’s helpful. If you enciunter any issues, please let me know.
Welcome to my blog and first post! My aim is to provide tutorials that describe some of the things about which my colleagues have questions. I’m neither a seasoned blogger nor videographer, so please bear with me as I progress. I don’t plan to produce a regularly updated journal on digital forensics, as many of the good folks in my blog list now publish. Instead, I’ll try to provide some guidance on practices that may help others who haven’t had a chance to explore an area of computer forensics that I may have delved into repeatedly. As you’ll see, I have a plan for a few topics and will consider suggestions thereafter. I do, however, have a full time job that already extends beyond a “reasonable” workday, so pardon my delays in posting. The videos herein should be viewed in high-def, and you’re welcome to download them.
This will be a multi-part presentation that goes into creating VMware virtual machines and using them to examine shadow volumes. First, we’ll create a virtual machine from a single dd image file. In the next presentation, well examine the target system’s shadow volumes using VMware and X-Ways Forensics (XWF) http://www.x-ways.net/forensics/index-m.html. We can create a target-system VM from a segmented image, but it takes more work to create our configuration file. We also can build a VM from other image formats, like E01, as long as we can mount the image as a physical disk. First, I always take care to see that my image file is read only. Our image file is MyImage.001. There are a variety of ways to approach an exam of shadow volumes, and this is mine at the moment. I’m using VMware 8.x, but the steps are the same in 7.x.
I’m going to assume that readers have a modest grasp of VMware and Windows shadow volumes. The next presentation features XWF more prominently, and I encourage readers to pick up a copy, as it’s benefits go far beyond the points that I’ll present.
Step One is to create a disk descriptor (vmdk) file, which is a text file that contains the disk geometry and image name. Below is a screen shot of the contents of a Vista/Win7 vmdk file. The yellow-highlighted fields are the ones that you will edit. The first is the number of sectors on the physical disk. Next is the name of your image file. Then, skip the next (cylinders) field one and be sure that your heads=255 and sectors=63. Then enter the number of cylinders by calculating
Here’s an editable copy of our vmdk file: MyImage.txt. Save the file as a text file and then change the extension to vmdk for actual use. It’s configured for VMware 8.x. If you’re wondering where to get the number of sectors, an easy approach is to highlight the image in XWF and select the Technical Details Report from the Specialist menu:
Next, we’ll create a VM, so open VMware and elect to create a new virtual machine. At this point, the following video will save some explaining:
Create VM
This is what we do: Run VMware and create a new VM. Select the Custom option in the first window. Choose to install the OS later. Next, choose the OS (32 vs. 64 is not critical). Then, pick a name for the VM and a path for the VM files. It’s best to place them in their own folder. In the next couple of screens, choose one processor and a little more memory (2-4GB) than the default. In the network box, select “do not use…” You can add a network adapter later. For the I/O adapters box, select LSI Logic (SCSI). In the Select a Disk box, choose “Use an existing virtual disk.” Next, navigate to your vmdk file (MyImage.vmdk). Then click Finish, and you will have built a basic VM. Now, take a Snapshot in VMware: VM\Snapshot\Take Snapshot.
In the next step, we’re going to edit the registry of our VM (we don’t do this in XP) and remove the password (keep EFS in mind). We mount the VM as a logical disk in read-write mode (remember, we’re working with a snapshot and the image file is RO). So, mount the system partition in VMware as writable. Watch the video:
Prep for boot
As you saw, I loaded the VM’s System hive in my host’s registry. I navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI. I edited the Start value (DWORD) so that it’s 0x00. The 0 has the effect of starting the service at “boot” automatically by the system loader. You can edit the other Control Sets, but it’s unnecessary. Then I unload the System hive and shut down Regedit.
Next, we’ll deal with the user’s password. I use a free tool named ntpwedit.exe, http://cdslow.webhost.ru/ntpwedit/. (It’s in Russian, but you’ll figure it out.) We’ll run ntpwedit and point it to the SAM hive in your mounted virtual disk and remove any password that you wish. Note that you usually can boot a VM with Nordahl’s CD and do so, but it doesn’t always work. Watch:
Remove Password
Now, the VM is ready to boot. You may wish to fire it up to be sure that it runs, but create another snapshot first. We want to but be careful about doing anything that could create a restore point, which could delete one or more existing restore points. For example, installing VMware Tools will create a restore point. Snapshots allow us to go back and recover a pristine system. It’s a good idea to check the shadow volumes in your image and be sure that they all show up later with their proper dates when we examine them. In our example, there are 19:
Red Forman
September 4, 2016 at 7:20 am
Hey Jimmy,
Just tried this with a Windows 10 x64 image and turns out there is no registry entry for LSI_SCSI. I managed to get the VM created successfully starting with the VMDK modified to my VMWare version (12), and the following steps:
New VM
Custom
Hardware Version VMWare 12 (my version)
Install OS Later
Choose OS (Win 10×64)
Name and location
Firmware type EFI
1 Processor 1 Core
4GB RAM
No Network Connection
I/O Controller Types – LSI Logic SAS
Virtual Disk Type – SCSI
The rest was the same, except I didn’t need to mount or map the VM HD to change the registry, because Windows 10 has all of the LSI configured as Start=0 by default.
I did have an issue when I started to try your original method though with permissions on the ‘config’ folder, and I wasn’t able to gain access to it using the ‘Map’ method. So I used FTK Imager and mounted the image Writable – Logical and went from there.
Hope this helps out some of the others having issues with Windows 10.
Reply
jimmyweg
September 4, 2016 at 11:57 am
Thanks, Red. Yes, the SAS controller is an alternative. Usually, there are two SAS controllers, and picking either should work. I’m not sure why you couldn’t access System32\Config, but perhaps Win 10 tightened up access somewhat. Yet, I can access the folder directly on my native system.
Reply
Richard
August 10, 2016 at 10:52 am
Anyone willing to share their copy of ntpwedit? The site to download it from is down. I’ve gotten to the point of booting and a login, don’t want to take the time to crack the SAM if I don’t have to. Thanks!
Reply
jimmyweg
August 15, 2016 at 8:09 pm
Solved.
Reply
Jason
July 25, 2016 at 10:19 am
Using Workstation 11 on Windows 10, i can map the VM drive, however the drive is not displayed in RegEdit and Explorer gives me the error “not accessible. Incorrect function.” when i try to view the contents of the drive. Is this a limitation of Windows 10/Workstation 11? Any workarounds?
Thank you.
Reply
jimmyweg
Hi, Jason. I can tell you that my VMware 12 works fine on/with Win 10. I don’t think you’ve encountered a limitation.You didn’t give me much info. Are you working with an image? What type? What is the guest’s OS? Have you tried the approach using Arsenal image Mounter?
EC
September 12, 2016 at 11:04 am
Make sure you take a snapshot before trying to mount it as read/write.
I had the same issue, I kept getting “Not accessible. Incorrect function.” after attempting to mount the drive as read/write in VMWare and browse in explorer. It would mount fine as read only, no errors browsing. Once I did a snapshot it worked fine.
Greg
Good article, however I’m having trouble with the regedit. I can do the load hive, but the mapped drive doesn’t show up, the hard drive, a recovery partition, and my local drives do, just not the drive I mapped in VMware… I can’t boot that system as I believe it needs the SCSI to start up when the system boots.
I’ve tried this numerous times, and still a no-go.
Thoughts?
jimmyweg
Thanks for writing, Greg. What is the guest OS? Is it GPT (I think it is)? How are you loading and editing the System/SAM hives if you can’t map the system partition? Try mapping the partition before and after the desired system partition. WMware seems to have an issue with mapping the selected partition on GPT.
Greg
Imaging it’s GPT (windows 7 box I’m fairly sure), my host is windows 7. I can see the drive mapped to windows (a 455GB drive using about 120GB). Under advanced shows scsi.
Now on my host I try regedit, file local hive( as in video). On left hand side, I still see my C drive, my USB drive, and now instead of Q (which is the image file that I wish to use), I see an 11GB recovery drive (different letter).
Thanks
jimmyweg
In VMware, how many partitions does it show when you go to map a volume? Post back a list with size and type.
MacLuser
Will this work for creating a VM of a MAC OSX .00001 image? If not, any suggestions?
jimmyweg
OSX is an entirely new ballgame. I will tell you that I can create a VMware VM in Windows from an OSX dd image. However, there is at least a debate over whether doing so conforms with Apple’s licensing conditions. So, I haven’t posted instructions because I don’t want to take a chance on violating the license. I will say that it also requires a tweak to certain VMware system files, and I don’t know whether those edits will work in all versions. You can, however, build a VM in Fusion on a Mac.
Steve Linn
Jimmmy,
I have a 001 image that I am setting up
In VMWare when selecting the MyImage.VMDK file I get the following error
“the file specified is not a virtual disk”
Here is my code for my VMDK
# Disk DescriptorFile
version=1
encoding=”windows-1252″
CID=fffffffe
parentCID=ffffffff
isNativeSnapshot=”no”
createType=”monolithicFlat”
# Extent description
RW 1953525168 FLAT “MyImage.001” 0
# The Disk Data Base
#DDB
ddb.virtualHWVersion = “8”
ddb.longContentID = “3dbffea22e044ddc2bb9220dfffffffe”
ddb.uuid = “60 00 C2 99 79 81 fe 89-c6 64 c8 c2 19 93 b1 ea”
ddb.geometry.cylinders = “121602”
ddb.geometry.heads = “255”
ddb.geometry.sectors = “63”
ddb.adapterType = “lsilogic”
jimmyweg
Let’s check the easies thing first: make sure that your image name in the vmdk is precise. Nxet, double check the geometry, e.g., number of sectors. I take it that your target is a single image file and not a mounted image. Let me know what you find.
Steve Linn
I got a little farther along
I changed text editor to Notepad++
got my sector count from FTK Imager
I was able to go through the entire process – mounting it to the Z: drive and editing the registry hive.
I did not change the password because I did not need to — I know the password
When I go to power on the machine I get the error “failed to lock the file…cannot open the disk E:\MyImage.vmdk or one of the snapshots it depends on.
Module ‘Disk’ power on failed.
jimmyweg
This error usually resolves with a host system reboot.
Steve Linn
Little further along….
Able to install the VM and open it in VMWare – however it says it cannot start normally. I tried to stop the VM and restart it – same issue — should I attempt to repair it?
jimmyweg
You shouldn’t need to do a repair if the original system was working okay. First, choose “no” and see what happens. What OS is the guest?
Steve Linn
The computer worked fine, it was a Win 7 x64
jimmyweg
Then it has to boot in VMware if you correctly created the vmdk, edited the registry, and took a snapshot. Try to back to the first snapshot and boot. Don’t do a repair at that point.
Kevin Chaney
I keep getting this BSOD on every machine I try:
Stop 0x0000007B
Any ideas?
Thanks
jimmyweg
What OS is your VM?
Shelby Mertins
I’m having this problem trying to boot to Windows 7.
jimmyweg
If it’s the same issue that Patrick last reported, it seems to be a Windows issue. Try the repair. Does it boot to safe mode? I get that screen all the time and simply elect to start Windows normally. Go back to square one and make sure that you get the registry edited before your first attempt, in case something was corrupted when you first built the VM.
Matthew
Hi Jimmy
I keep getting Stop code 0x0000007B on boot
My OS is Win XP.
I suspect it cannot boot because I have not changed the appropriate setting in the registry. I looked and cannot find the LSI_SCSI key (probably becuase this is XP).
Is there an XP version of this key I can change?
Thanks in advance!
jimmyweg
Matthew, I posted about XP at http://justaskweg.com/?p=851. Do the repair as I explained.
Hannah
Great article but I am having problems mapping the drive. I am using Workstation 10. It seems to map the drive but when I click on it, it says to format the drive. When I try to start the VM, I get a disk error. I can mount the dd and browse the folders using FTK Imager. Any ideas? Thx!
jimmyweg
Perhaps your geometry is wrong. Check your vmdk file and be sure that the C-H-S settings are correct. H=255, S=63, C=Total Sectors/255/63. Your total (physical) sectors should be included in the file, too, of course.
Hannah
[Drive Geometry]
Cylinders: 60,801
Tracks per Cylinder: 255
Sectors per Track: 63
Bytes per Sector: 512
Sector Count: 976,773,168
VMDK File
# Disk DescriptorFile
version=1
CID=fffffffe
parentCID=ffffffff
isNativeSnapshot=”no”
createType=”monolithicFlat”
# Extent description
RW 60802 FLAT “nt2935.001” 0
# The Disk Data Base
#DDB
ddb.adapterType = “lsilogic”
ddb.encoding = “windows-1252”
ddb.geometry.cylinders = “1”
ddb.geometry.heads = “255”
ddb.geometry.sectors = “63”
ddb.virtualHWVersion = “4”
jimmyweg
First, remove the commas in your sector count number, and RW should be 976773168. The ddb.geometry.cylinders should 60801. Create a vmdk file that contains the following:
# Disk DescriptorFile
version=1
encoding=”windows-1252″
CID=fffffffe
parentCID=ffffffff
isNativeSnapshot=”no”
createType=”monolithicFlat”
# Extent description
RW 976773168 FLAT “nt2935.001” 0
# The Disk Data Base
#DDB
ddb.adapterType = “lsilogic”
ddb.geometry.cylinders = “608001”
ddb.geometry.heads = “255”
ddb.geometry.sectors = “63”
ddb.longContentID = “4840d9972d5edd9f0f8a2f4afffffffe”
ddb.uuid = “60 00 C2 9e 44 a1 15 1d-5d 9b 29 09 73 ce 10 47”
ddb.virtualHWVersion = “10”
Hi,
Thanks for your excellent work and for sharing it!
Just a quick question as you might have come across.
I’m trying to write the System registry key as you said so, but on VMWare Workstation 8, when I try to map the partition as writable, got a Windows message saying it can’t open that drive letter.
I’ve tried in VMWare Workstation 10, and I can map to a drive letter, but then I can’t open folder Config under Windows\System32, as says that I don’t have permissions. I tried of course to edit the permissions, but always get an error that can’t write.
Have you ever came across something like it?
Thanks
jimmyweg
If you can map the volume as writable with VMware, it seems to be a permissions issue, as you noted. Win 8 can be a little fussier than 7. Have you disabled UAC? First try the normal way through Control Panel. If that doesn’t work, try HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and set EnableLUA to 0x00. Note that you will be unable to use Metro Apps (so what).
saintbin
Hi Jimmy, may i got your need to boot from single dd image?
1. i create a dd image from a system drive(logical drive) using ftk imager
2. i create vmdk and VM according your posts step
3. i load the VM system hive in my host’s registry and operated with your given method and removed the password use ntpwedit
4. then i power on the VM, but the VM suspended on a starting but black screen. what’s the problem?
can you help me ?
jimmyweg
September 21, 2013 at 11:11 am
I don’t know about a black screen, and what do you mean by “VM suspended”? If you’re not even getting to Windows, there may be a problem with your target’s boot loader. Make sure you give it enough time, as it can be slow sometimes. What is the OS?
saintbin
Hi jimmmy, thanks to you that post a great blog.
but ia have a question, can you tell me, how to loaded the VM’s System hive in my host’s registry and then how to navigated to the current control set and then to HKLM\NEWSYSTEM\ControlSet001\Services\LSI_SCSI?
waiting you reply!
jimmyweg
September 21, 2013 at 11:09 am
It’s in my posts, but mount your virtual disk after taking a snapshot. Mount it as writable. Then open regedit, and select load hive from the File menu, when your focus is on HKLM on your own registry. Navigate to the mounted virtual disk’s SYSTEM hive, select it, and give it a name. You should find the LSI_SCSI key in your mounted hive.
Randy
Thank you for taking the time to put together such helpful information! I am using VMWare Workstation 8 on a Windows 7 x64 host, and I created a VM from an E01 image of a Windows 7 machine.
I was unable to map the virtual drive, and the vmware.log exposed the problem: “failed to open \\.\PhysicalDrive11 the physical disk is already in use”
To solve this problem, I closed VMWare Workstation 8 and started it again running it “As Administrator”. It was a permissions issue accessing the physical disk, and running as Administrator fixed it.
jimmyweg
I’m gad it worked out. Sometimes, access issues arise from neglecting to create a snapshot.
Johan S
I solved it, I was not system admin. Thanks for a GREAT tutorial!
jimmyweg
You’re welcome!
Johan S
Hi! Im stuck again. After mapping the “harddrive” with VM Ware as explained it shows in windows explorer, but it does not show in disk management and it does not show through regedit, so I can not choose the sytem file in it. I guess that some of my computer settings are not right. I would be wery happy if you could help me out again. Thanks for great information!
Johan S
Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on this page.
jimmyweg
The first video is at http://justaskweg.com/?paged=3.
Alan
I have the same problem as Diego. My image is a raw, dd image that opens fine in WinHex Specialist. I made changes to the number of sectors and to the image file name in your template. I saved the file as a vmdk. I do not think I made a mistake.
jimmyweg
Hi, Alan. The “The file specified is not a virtual disk” error typically indicates a problem with your vmdk or an issue with your image. If you want to send the vmdk to me, email it to jweg mt. gov. In WinHex, click on the physical image and send the Technical Details Report, too, if available. Make sure that your vmdk file is in the folder with your image. Check that no commas are in any numbers, e.g., sectors. Double check that you named the image correctly in your vmdk. Check your math for number of cylinders.
Alan
Thanks for the offer to troubleshoot it. I’ll send it to you. I double checked all that you suggested so I am hoping you can shed some light. BTW, I hate captchas.
jimmyweg
Sent you an email. I also hate Captchas, but you can’t believe how many spam comments I was getting. I wish that there was an alternative, and I do use other blockers.
Hans Marius
Hi,
Iam trying to bring up a machine from E01 file.
You are using MyImage.001 in the vmdk file, but what should I type there when trying from an E01 file?
jimmyweg
Hello, Hans. As you’re using an E01, you must mount the image as a physical disk and then build your VM from the disk. Please follow the instructions at http://justaskweg.com/?p=653.
Howdy! I just wish to give you a huge thumbs
up for the great information you have got here on this
post. I am returning to your blog for more soon.
jimmyweg
thanks. I’m glad that you find the information helpful.
Brian
Jimmy, what is required to get an XP image to boot up in the same manner? Thank you for your time.
jimmyweg
Hi, Brian. I have a post on XP VMs at If that dopesn’t help, post back.
Diego
I followed all steps with VMWare 8.x, but when I navigate to the vmdk file and click next I get the error: “The file specified is not a virtual disk”. I tried creating another VM and check the contents of the generated vmdk file, it contains some weird characters at the beginning and the end, but the file I made manually doesn´t. What could be the problem?
jimmyweg
That usually means that your vmdk file contains an error or the wrong type of virual disk. Are you trying to create a vm from a dd image If you’re trying to create a VM from an E01 or mounted disk, you want to open the vmx file after you follow the steps in mypost on E01s.
Brian
Jimmy, I seem to be stuck on the piece to edit the registry. Where is the video located? I dont see links to it on thi spage.
Phill
How did you figure out that you have to modify the registry?
And do you know why setting the registry key to 0 seems to get it to work?
jimmyweg
First, Vista/7/8 VMs prefer SCSI disks. If you simply create one from scratch, SCSI is the default. As many have found, leaving an IDE drive in place usually results in a BSOD. IIRC, it’s a Stop 0x0000007B error, which should be a driver issue. It took a bit of testing and trial and error. The issue/conflicts doesn’t arise with a SCSI disk/drivers. But, the target system probably doesn’t use a SCSI disk, so it won’t load the driver at boot. Vista/7/8 include the LSI SCSI drivers, but we have to make them load at boot. All that takes is editing the driver’s Start value data to 0x00. Thereafter, the SCSI drivers will load at boot and the system will recognize your SCSI disk. Per MS, these are the available value data for Start values (summarized):
0x0 Part of the (Boot) driver stack for the boot (startup), loaded by the Boot Loader.
0x1 Represents a driver to be loaded (System) subsystem at Kernel initialization.
0x2 To be loaded or started (Auto load) Control automatically for all startups,
0x3 Load on Control but will not be started until demand, for example, by using the Devices icon in Control Panel.
0x4 NOT TO BE STARTED UNDER ANY CONDITIONS.
Good stuff Jimmy!
I didn’t like having to modify the registry though so I used:
ddb.adapterType = “ide”
in the vmdk file to avoid it.
Thanks!
jimmyweg
Thanks, Stephane, I’m glad you found my post useful. Typically, Win7/Vista in VMware like SCSI drives, and XP uses IDE. However, if your VM boots, it doesn’t matter. If you have to strip a password and you use my approach for that, you have to mount the disk and edit the registry anyway. Even if you boot with a password-stripper disc, it edits the SAM, too.
Jason
Great Job here! Thanks so much for the step by step guide. Very informative.
Few questions.
Following the guide from ‘Creating a VM from 01 Images’ I was able to get a Win 7 64bit image to boot, but only once. After I shut it down and restarted it I keep getting the BSOD. I tried deleting everything and starting over but still had the BSOD. Anything changing outside of the files created in target directory, like in the VMWare Workstation folder/files? Any other thoughts on this?
Also in this post in the section about editing the registry of the mapped image it says ‘In the next step, we’re going to edit the registry of our VM (we don’t do this in XP)’ What do you mean ‘we don’t do this in XP’. Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?
Thanks again!
jimmyweg
>After I shut it down and restarted it I keep getting the BSOD.
If it boots once, it should boot indefinitely, absent something that went wrong in the VM guest. If it BSODs again, don’t do anything until you mount the virtual disk and recheck the registry to be sure that the LSI SCSI Start=0x00. If it reverted back to its original state, perhaps try taking another snapshot after you re-edit the registry. Maybe you somehow set the disk to non-persistent, although I don’t think that you can do that.
>Do I not edit the registry in host system if its XP or do I not edit the registry of a XP image?
Correct, you don’t. XPs usually don’t come with the native LSI drivers, anyway. You build an XP VM with the standard IDE disk. Then, to get it to boot, you’ll have to do a Windows repair in mnost cases. I can do a post on that if you think it would help a number of folks.
jbscarva
September 14, 2012 at 10:32 am
Excellent. Thanks very much!!!!
jimmyweg
You’re quite welcome!
Thanks for the amazing info. I find these posts have a lot of material. I can’t wait to get a chance to impliment all these great posts. Thank you very much.
Outstanding work. Ditto Mr.O’Sullivan’s Comments. Bookmarking and sharing (if you don’t mind).
jimmyweg
>(if you don’t mind).
Thanks for kind words, William and Michael. I certainly don’t mind sharing.
William O'Sullivan
Excellent article and explanation. Thank you!
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
© 2022 Brett Shavers
