Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Physical Disk Issue

DG1
2006-09-05
2013-12-03
  • DG1
    DG1
    2006-09-05

    I am trying to boot a physical disk.  It is assigned a drive letter from windows, but when I select "physical disk" in Live View, I get a drop down list with NOTHING in it.  When I disconnect the disk, I get "no removable devices detected"...

    Also, any hope for support of EnCase images in the future?

    Thanks for the work!

     
    • DG1
      DG1
      2006-09-05

      Just as a follow up.... also tried this with EnCase's PDE module - same result.

       
    • Brian Kaplan
      Brian Kaplan
      2006-09-05

      Please run the following command all on one line at the command prompt and post the output. Be sure that the physical disk is attached via usb or firewire before running the command. I would also be curious to see the output of the command when you use encase PDE.

      wmic /namespace:\\root\cimv2 path Win32_DiskDrive get index, InterfaceType, model, size

      This will help me track down the cause.

      Thanks,
      Brian

       
    • Brian Kaplan
      Brian Kaplan
      2006-09-05

      Regarding support for EnCase:

      We would like to support EnCase images and may attempt to do so in the future given significant demand and the resources to do so. 

      Brian

       
    • DG1
      DG1
      2006-09-05

      Brian...

      You want me to run that when I have the error occurring - right?  But, I may only have to do this when mounting the image with EnCase PDE... Here is why:

      I was able to boot up a laptop drive (physical through IDE Ultra Block) running 2K as the OS while connected to USB and Firewire.  However, the same could not be said when connected to a read-only FireFly (old version) via Firewire.

      Believe it or not, this is the first time we are able to successfully boot a suspect machine in VMware using the subject physical drive.  So we are VERY happy to see it finally working.

      As a side note, when connecting to the UltraKit via firewire, the area where the drop down list under "choose your device" seems to be a little too small.  Probably because of the long name given to the interface/drive... I could send you a screen shot of it if you send me an email address to send it to.

      GREAT WORK!

       
    • Brian Kaplan
      Brian Kaplan
      2006-09-05

      Running that command in any situation where you cannot see any devices listed in the physical disk dropdown menu would be useful.

      It would be interesting to see the output with the image mounted with EnCase PDE and with your disk connected with the FireFly.

      Im glad to hear you've had some success. Reporting these issues will make Live View even better.

      You can find our email on the live view website by following the contacts link: http://liveview.sourceforge.net/contact.html

      Thanks for the feedback,
      Brian

       
    • Brian... things got really busy around here, so I have not been able to get you the screen shots, etc. on this issue... I hope to get this to you this week.

      On the positive side, I have been using this to boot the physical disks on cases where we need to verify the usage banner is present on a computer prior to an examination.  It has worked flawlessly on the 4 cases in the last couple of weeks.  It saves us time and work station allows us to record a video of the machine booting up and showing the banner as the user would see it.

      Lastly, it was nice to hear the interview on CyberSpeak!  I threw Ovie & Brett your email address - glad to see they contacted you!

      Will get you more this week...

      Danny Garcia, CFCE, CEECS
      Miami-Dade Police Department

       
      • Brian Kaplan
        Brian Kaplan
        2006-10-08

        Danny,

           No problem. Enough other people have reported the physical disk bug that I think it has been worked out for the next release (0.5). The screenshots and such won't be necessary although if you would like to send me the output of that command when using Encase PDE, that would help for when we add support for that product. No rush.

           Im really glad to hear that Live View has been working well for you on some of your cases. Glad you liked the interview too.

        Brian

         
    • I'm having the same issue with nothing showing up in the dropdown. The output for the command you gave is:
      Index  InterfaceType  Model                           Size
      3                                                     6489745920
      0      SCSI           Adaptec Array SCSI Disk Device  79990848000
      1      SCSI           Adaptec Array SCSI Disk Device  1499986736640
      2      SCSI           Adaptec Array SCSI Disk Device  1498942126080

      The adaptec devices are SATA RAIDs, disk3 is the emulated disk and I can see all the partitions on it fine through Explorer.

      Two other things while I'm here: we have a lot of trouble using Encase PDE with VMWare because we use SATA and VMWare needs the disk to be lower in the chain than SCSI any devices. One soultion to this is to boot with a 'decoy' IDE drive in then whip out the cable and run PDE, which then takes Disk0 from the IDE as it doesn't get freed up when you remove the cable. Obviously this is a kludge, and it's not very reliable. Is there any way in which Live View can overcome this when using PDE?
      The other thing - Encase format would be great for us as we image with Encase. I've been so impressed with Live View though that I've been considering changing to dd (via FTK Imager). Obviously if Live  View could get us working in a non-silly manner with PDE then we wouldn't have to :-)

      Anyway, keep up the good work and thanks for Live View.

       
      • Brian Kaplan
        Brian Kaplan
        2006-10-08

        The next version of Live View (0.5) will correct the issue you are having with nothing showing up in the dropdown.

        As far as using Live View with Encase PDE: we intend to support that functionality in the future in which case that would overcome the “kludge” you describe. You would simply select the PDE disk from the dropdown menu and it would boot up.

        Regarding Encase image support: Although we would like to, we are not currently working on encase image support. There are a variety of other features and fixes that are higher on TODO list so given our limited time and resources it may not be implemented for quite some time. We would welcome anyone who wants to implement encase image support to do so and we would be happy to add it into the release. Encase PDE support, however, might be a sufficient compromise that will likely be in a future release.

        Glad to hear you like it, and thanks for the suggestions.

        Brian

         
    • Brian,

      I too am having the problem with no physical disks showing.  This is the first time I have tried to go directly to the physical disk VS the dd files.  As you can see, I do have a card reader within.  I am attempting to mount the disk via a Tableau (Ultra Kit) R/W device via 1394B (I am not concerned about write blocking).

      Any further information you may need, please contact me at michaelctaylor<at>gmail*dot*com.  I live in Greensburg and travel downtown from time to time.  I will discuss things in greater detail if you would like, just email me.

      Michael C. Taylor, CFCE

      Microsoft Windows XP [Version 5.1.2600]

      1      IDE            WDC WD740GD-00FLC0                             74348305920

      7      1394           Tableau FireWire-to-IDE IEEE 1394 SBP2 Device  60011642880

      6      1394           WiebeTech ToughTech 800 IEEE 1394 SBP2 Device  32007032064
      0
      0      SCSI           NVIDIA  JBOD     698.65G                       75017021184
      0
      3      USB            Generic USB CF Reader USB Device

      5      USB            Generic USB MS Reader USB Device

      2      USB            Generic USB SD Reader USB Device

      4      USB            Generic USB SM Reader USB Device

       
      • Brian Kaplan
        Brian Kaplan
        2006-10-08

        Michael,

          This is a known bug in 0.4. As a workaround try removing the card reader. The upcoming version 0.5 should clear up the issue.

        Brian

         
    • After running wmic, I got this response:
      Index  InterfaceType  Model                                  Size
      0      IDE            Maxtor 5A300J0                         300000637440
      1      SCSI           IBM IC35L036UWD210-0 SCSI Disk Device  36701199360
      2      SCSI           Promise 1+0 JBOD SCSI Disk Device      123519029760
      3      SCSI           Promise 1+0 JBOD SCSI Disk Device      123519029760
      4      SCSI           Promise 1+0 JBOD SCSI Disk Device      123519029760
      5      USB            GENERIC USB Storage-CFC USB Device
      7      USB            GENERIC USB Storage-mmc USB Device
      8      USB            GENERIC USB Storage-MSC USB Device
      6      USB            GENERIC USB Storage-SDC USB Device
      9      USB            SanDisk Cruzer Mini USB Device         1019934720
      10     USB            WDC WD25 00JB-00EVA0 USB Device        250056737280

      I am running version 0.5 LE.  I still get nothing when selecting physical disk.  The USB device was there momentarily, but then disappeared.  I will reboot to see if this fixes it and I'll let you know.

      Alan Harper
      EDS
      Sr. Digital Forensics Instructor
      Fairfax, VA 22030

       
    • Rebooting fixed the problem.  I have been testing this and one disk gave me a BSOD, while another one booted up fine.

      A question for you all (because I am new to Live View):
      Does Live View provide any write protection?  If not, what is the recommended method for write protection?

      Regards,

      Alan Harper
      EDS
      Sr. Digital Forensics Instructor
      Fairfax, VA 22030

       
      • Brian Kaplan
        Brian Kaplan
        2007-02-22

        Hi Alan,

        Live View does not write any data to your disk or image. See the discussion in the FAQ here:
        http://liveview.sourceforge.net/faq.html#Won't%20Booting%20The%20Image%20Destroy%20Evidence?

        You can also put your images on a hardware write blocker for an added layer of protection.

        We are aware of one problem that causes blue screens when booting some images. We are currently testing the fix and will release it in the near future as 0.5.1. Feel free to let us know whether the fix worked for your image that blue screened with 0.5.

        brian

         
    • pbecker
      pbecker
      2009-03-11

      I have tried 0.6 and 0.7b and I have the same problem. (No disks displayed in dropdown)  Any help would be appreciated.

       
  • Rick Lin
    Rick Lin
    2013-12-03

    I use LiveView 07b and 08.RC1 for a long time,and it works fine. LiveView can generate vmx config and snapshot for you. If you do attach your physical disk to your pc or laptop and got a drive letter,LiveView should identify your physical disk. Is your physical disk a bootable disk(OS installed)? If LiveView does not recognize your bootable disk,you can create an image from it and try to mount. See what is going on and maybe you could get more clue by doing so.