How to make a Live analysis from a ‘dd’ image

In forensics, there are two diferents scenarios:

1. Dead analysis
2. Live analysis

Dead analysis are commons. It uses software like “Encase” or even linux distributions like “Helix” or “Caine”. But in dead analysis, you can’t know what a malware is doing or how a software instaled is working. So, you need to do a Live analysis.

If you have an image adquired through “dd”, you can mount it as a live pc system, in a vmware enviroment.  You need:

• Vmware Player (free) or Vmware Workstation (pay)
• Vmware Virtual Disk Development Kit VDMK (free) http://www.vmware.com/download/sdk/virtualdisk.html
• Live View (free) http://liveview.sourceforge.net/

Then, install vwmare player, VDMK and run Live View.

In Live View, select Image file, Output directory and select Start. After a little work, a vm is launched with ‘dd’ image as first hard disk.

Live View 0.7b

By other side, if you only need mount a “dd” image as a secundary hard disk into a vmware, you should try these options:

1. Use Pro Discover Basic (free) http://www.techpathways.com/Demo.htm In Tools>Image Convertion Tools>Vmware support for “DD” image
2. Make  your own vmware disk, filling the information about sectors, heads, cylinders and size, as same as the original disk. This information could be read from a “dd” image, using a hex editor.  Example of vmware disk.

# Disk DescriptorFile
version= 1
CID = fffffffe
parentCID = ffffffff
createType = "monolithicFlat"

# The Disk Data Base
#DDB

ddb.virtualHWVersion = "4"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "16"
ddb.geometry.cylinders = "1"
ddb.adapterType = "ide" or "buslogic"

# Extent description
RW 156301488 FLAT "sdc-img.dd"0

Happy Forensics.