iTranslated by AI
Booting an OS from an E01 (EWF) Forensic Disk Image
Overview
When performing disk forensics, the target disk image is often in the .E01 format.
It is the de facto standard in this industry because it provides some level of compression, making the file size smaller and easier to handle. (Though I get the feeling that many tools don't support it.)
Basically, we collect and analyze artifacts from these .E01 files, but there are times when we want to boot the OS and interact with it directly.
For example, if you want to observe malware behavior by running it on the investigation target environment, or if you want to run investigative tools (like Autoruns).
There are paid tools specifically for this purpose, like VFC, but since I don't have that kind of money, let's gratefully use the free tool Arsenal Image Mounter.
I haven't verified it myself, but this method should work for formats other than .E01 as well.
For details, read the "Disk Image Support" section in the link below.
Verification Environment
VMware Workstation Pro 17.5.2
Arsenal Image Mounter 3.11.293
It might work with similar tools like VirtualBox or FTK Imager, but when I tried those a few years ago, it didn't go very well, so I recommend the one above.
Procedure
Mounting the Disk
Once you launch Arsenal Image Mounter, click "Mount Disk Image" in the bottom left and select the .E01 file you want to boot.
It will ask you several questions, but select "Disk device" and "Write temporary" at the top.
Also, select "Specify alternate differencing file location" and save it somewhere appropriate.
This allows you to create a separate file for changes while keeping the original E01 file unchanged.
Next, select Advanced > Offline Disk from the top toolbar.
Then, the Online/Offline status should now show "Offline".
With this, you have successfully mounted the .E01 file as a physical disk.
Booting with VMware Workstation
When launching VMware Workstation, always start it with administrator privileges.
Otherwise, disk mounting will fail.
Create a new VM and select "Custom (advanced)".
Most of the steps can be followed as-is, but I'll write down a few points to watch out for.
Firmware Type depends on the settings of the .E01 file, so choose one based on your best guess.
If it doesn't boot, try changing the settings later.
Make sure to set Network Connection to "No" (or equivalent).
Otherwise, the moment it boots, malware might communicate with an external server, which could lead to a disastrous situation.
It is a common story (truly) that incident responders cause incidents, so please be extremely careful. When you gaze into an incident, the incident also gazes into you.
For disk selection, check "Use a physical disk" and select the mounted .E01.
If you are not sure about the disk number, check it using diskpart or Disk Management.
With that done, once you create the VM and click the power-on button, it should boot.
You will have to figure out the password through sheer willpower, or politely ask the original owner.
Conclusion
Arsenal Image Mounter is a very convenient tool.
In particular, the ability to mount with write access without changing the original file is fantastic and is useful when you want to run antivirus software, so it's a good tool to have in your arsenal (pun intended).
That's all.
Reference
Discussion