Whats a "a raw (dd-style) disk image"?
LifeView can work with 2 kinds of VMware-type images:
a raw-disk - this is just a description of a physical disk - see this example:
# Disk DescriptorFile
version=1
CID=13f70cd7
parentCID=ffffffff
createType="partitionedDevice"
# Extent description
RW 63 FLAT "raw-pt.vmdk" 0
RW 24579387 FLAT "\\.\PhysicalDrive0" 63
RW 131716935 ZERO
RW 5103 ZERO
# The Disk Data Base
#DDB
ddb.virtualHWVersion = "4"
ddb.geometry.cylinders = "16383"
ddb.geometry.heads = "16"
ddb.geometry.sectors = "63"
ddb.geometry.biosCylinders = "1024"
ddb.geometry.biosHeads = "255"
ddb.geometry.biosSectors = "63"
ddb.adapterType = "ide"
A raw-disk is a 1kb file used to access PhysicalDrive0 like in this case.
MonolithicFlat - this is something like a dd-image with an aditional descriptorfile. DD-images can be created with any Knoppix-CD for example ...
They are a sector-based full uncompressed image of a disk (or a partition only)
You can convert an existing dd-image into a monolithicFlat VMware-disk by adding this small description.
LifeView uses a bug in VMware.
Following all common-sense VMware prohibits creating snapshots of raw-disks (physical disks) via the GUI-interface. In normal use this is very,very dangerous and considered as mad.
Now VMware Workstation uses a command-line tool named vmrun.exe to start and stop virtual machines per script.
One of this function is "add snapshot to disk X"
Now vmrun doesn't refuse snapshots on raw-disks so LifeView uses this to create a snapshot.
As soon as you have a snapshot you can investigate the existing disk without changing it as all changes go into a REDOlog instead.
I talked to the lifeview guys if they were interested to do this from a LiveCD as I have done similar stunts several times before - with my VMware-workstation on BartPE.
I guess it sounded to crazy for those forensic specialists
There is one function I like in LifeView - they can add this VMware-style descriptorfile to a dd-image automatically useing a bloated Java-trick.
I'd like to adopt this trick if it wasn't so bloated.
Jaclaz - I'm sure you could extract the necessary info with dsfo from the MBR of the dd-image.
Summary: Lifeview is an interesting approach - but rather half-hearted.
They do it to be able to faster investigate a tampered box - but they still have to create an image in the first place.
This is not even necessary if you do this from a LiveCD
Just my 2 cents ....
Ulli
(forgot one thing - they also patch IDE-disk images so that they can as an IDE-based virtual machine - by the way - this is just one of the functions I have in that moapatchman-stuff)
http://www.911cd.net...showtopic=19091