I am trying to boot a physical disk. It is assigned a drive letter from windows, but when I select "physical disk" in Live View, I get a drop down list with NOTHING in it. When I disconnect the disk, I get "no removable devices detected"...
Also, any hope for support of EnCase images in the future?
Thanks for the work!
Just as a follow up.... also tried this with EnCase's PDE module - same result.
Please run the following command all on one line at the command prompt and post the output. Be sure that the physical disk is attached via usb or firewire before running the command. I would also be curious to see the output of the command when you use encase PDE.
wmic /namespace:\\root\cimv2 path Win32_DiskDrive get index, InterfaceType, model, size
This will help me track down the cause.
Regarding support for EnCase:
We would like to support EnCase images and may attempt to do so in the future given significant demand and the resources to do so.
You want me to run that when I have the error occurring - right? But, I may only have to do this when mounting the image with EnCase PDE... Here is why:
I was able to boot up a laptop drive (physical through IDE Ultra Block) running 2K as the OS while connected to USB and Firewire. However, the same could not be said when connected to a read-only FireFly (old version) via Firewire.
Believe it or not, this is the first time we are able to successfully boot a suspect machine in VMware using the subject physical drive. So we are VERY happy to see it finally working.
As a side note, when connecting to the UltraKit via firewire, the area where the drop down list under "choose your device" seems to be a little too small. Probably because of the long name given to the interface/drive... I could send you a screen shot of it if you send me an email address to send it to.
Running that command in any situation where you cannot see any devices listed in the physical disk dropdown menu would be useful.
It would be interesting to see the output with the image mounted with EnCase PDE and with your disk connected with the FireFly.
Im glad to hear you've had some success. Reporting these issues will make Live View even better.
You can find our email on the live view website by following the contacts link: http://liveview.sourceforge.net/contact.html
Thanks for the feedback,
Brian... things got really busy around here, so I have not been able to get you the screen shots, etc. on this issue... I hope to get this to you this week.
On the positive side, I have been using this to boot the physical disks on cases where we need to verify the usage banner is present on a computer prior to an examination. It has worked flawlessly on the 4 cases in the last couple of weeks. It saves us time and work station allows us to record a video of the machine booting up and showing the banner as the user would see it.
Lastly, it was nice to hear the interview on CyberSpeak! I threw Ovie & Brett your email address - glad to see they contacted you!
Will get you more this week...
Danny Garcia, CFCE, CEECS
Miami-Dade Police Department
No problem. Enough other people have reported the physical disk bug that I think it has been worked out for the next release (0.5). The screenshots and such won't be necessary although if you would like to send me the output of that command when using Encase PDE, that would help for when we add support for that product. No rush.
Im really glad to hear that Live View has been working well for you on some of your cases. Glad you liked the interview too.
I'm having the same issue with nothing showing up in the dropdown. The output for the command you gave is:
Index InterfaceType Model Size
0 SCSI Adaptec Array SCSI Disk Device 79990848000
1 SCSI Adaptec Array SCSI Disk Device 1499986736640
2 SCSI Adaptec Array SCSI Disk Device 1498942126080
The adaptec devices are SATA RAIDs, disk3 is the emulated disk and I can see all the partitions on it fine through Explorer.
Two other things while I'm here: we have a lot of trouble using Encase PDE with VMWare because we use SATA and VMWare needs the disk to be lower in the chain than SCSI any devices. One soultion to this is to boot with a 'decoy' IDE drive in then whip out the cable and run PDE, which then takes Disk0 from the IDE as it doesn't get freed up when you remove the cable. Obviously this is a kludge, and it's not very reliable. Is there any way in which Live View can overcome this when using PDE?
The other thing - Encase format would be great for us as we image with Encase. I've been so impressed with Live View though that I've been considering changing to dd (via FTK Imager). Obviously if Live View could get us working in a non-silly manner with PDE then we wouldn't have to :-)
Anyway, keep up the good work and thanks for Live View.
The next version of Live View (0.5) will correct the issue you are having with nothing showing up in the dropdown.
As far as using Live View with Encase PDE: we intend to support that functionality in the future in which case that would overcome the “kludge” you describe. You would simply select the PDE disk from the dropdown menu and it would boot up.
Regarding Encase image support: Although we would like to, we are not currently working on encase image support. There are a variety of other features and fixes that are higher on TODO list so given our limited time and resources it may not be implemented for quite some time. We would welcome anyone who wants to implement encase image support to do so and we would be happy to add it into the release. Encase PDE support, however, might be a sufficient compromise that will likely be in a future release.
Glad to hear you like it, and thanks for the suggestions.
I too am having the problem with no physical disks showing. This is the first time I have tried to go directly to the physical disk VS the dd files. As you can see, I do have a card reader within. I am attempting to mount the disk via a Tableau (Ultra Kit) R/W device via 1394B (I am not concerned about write blocking).
Any further information you may need, please contact me at michaelctaylor<at>gmail*dot*com. I live in Greensburg and travel downtown from time to time. I will discuss things in greater detail if you would like, just email me.
Michael C. Taylor, CFCE
Microsoft Windows XP [Version 5.1.2600]
1 IDE WDC WD740GD-00FLC0 74348305920
7 1394 Tableau FireWire-to-IDE IEEE 1394 SBP2 Device 60011642880
6 1394 WiebeTech ToughTech 800 IEEE 1394 SBP2 Device 32007032064
0 SCSI NVIDIA JBOD 698.65G 75017021184
3 USB Generic USB CF Reader USB Device
5 USB Generic USB MS Reader USB Device
2 USB Generic USB SD Reader USB Device
4 USB Generic USB SM Reader USB Device
This is a known bug in 0.4. As a workaround try removing the card reader. The upcoming version 0.5 should clear up the issue.
After running wmic, I got this response:
Index InterfaceType Model Size
0 IDE Maxtor 5A300J0 300000637440
1 SCSI IBM IC35L036UWD210-0 SCSI Disk Device 36701199360
2 SCSI Promise 1+0 JBOD SCSI Disk Device 123519029760
3 SCSI Promise 1+0 JBOD SCSI Disk Device 123519029760
4 SCSI Promise 1+0 JBOD SCSI Disk Device 123519029760
5 USB GENERIC USB Storage-CFC USB Device
7 USB GENERIC USB Storage-mmc USB Device
8 USB GENERIC USB Storage-MSC USB Device
6 USB GENERIC USB Storage-SDC USB Device
9 USB SanDisk Cruzer Mini USB Device 1019934720
10 USB WDC WD25 00JB-00EVA0 USB Device 250056737280
I am running version 0.5 LE. I still get nothing when selecting physical disk. The USB device was there momentarily, but then disappeared. I will reboot to see if this fixes it and I'll let you know.
Sr. Digital Forensics Instructor
Fairfax, VA 22030
Rebooting fixed the problem. I have been testing this and one disk gave me a BSOD, while another one booted up fine.
A question for you all (because I am new to Live View):
Does Live View provide any write protection? If not, what is the recommended method for write protection?
Sr. Digital Forensics Instructor
Fairfax, VA 22030
Live View does not write any data to your disk or image. See the discussion in the FAQ here:
You can also put your images on a hardware write blocker for an added layer of protection.
We are aware of one problem that causes blue screens when booting some images. We are currently testing the fix and will release it in the near future as 0.5.1. Feel free to let us know whether the fix worked for your image that blue screened with 0.5.
I have tried 0.6 and 0.7b and I have the same problem. (No disks displayed in dropdown) Any help would be appreciated.
I use LiveView 07b and 08.RC1 for a long time,and it works fine. LiveView can generate vmx config and snapshot for you. If you do attach your physical disk to your pc or laptop and got a drive letter,LiveView should identify your physical disk. Is your physical disk a bootable disk(OS installed)? If LiveView does not recognize your bootable disk,you can create an image from it and try to mount. See what is going on and maybe you could get more clue by doing so.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.