Help save net neutrality! Learn more.
Close

Clone/Snapshot

Don Sauer
2008-03-17
2013-04-23
  • Don Sauer

    Don Sauer - 2008-03-17

    quick question, is there a way to snapshot the physical drive in Liveview without doing a full bit-to-bit of the partion ? Basically, I'm wanting to send the image to other sections but on smaller media than the orginal. I've got a couple work arounds and I'm adjusting standard builds to accompidate, but those take more time and I want to ensure I am not missing something. I have a full image thru a write blocker, just looking at an easier way to get to groups that want to conduct analysis. Currently we use a network drive and it works but uses a lot of drive space. Thxs.

     
    • Matthew Geiger

      Matthew Geiger - 2008-03-18

      Hi Don,

      I'm not sure I completely understand your goals. But, taking a guess at them, you can alter the vmx file to permit snapshots, but it's not recommended because you could enable writing to the original disk image under some circumstances. 

      You can effectively distribute the already "snapshotted" VM that Live View creates by distributing all the files in the directory you created for the virtual machine, together with the original disk image. However, this will -- obviously -- be bigger than the original disk image alone. (And you will probably need to hand-edit some paths in the vmx and vmdk files).

      What is sounds like you may want, is to adjust the vmdk to point to the original disk image on, say, a read-only network share (accessible by all your target users) and then send the VMware config and virtual disk files from the VM's directory to other users. The files may need paths edited, but then your users could run their own "cloned" VMs for analysis based on the source disk image.

      Hope this helps,
      Matthew

       
    • Don Sauer

      Don Sauer - 2008-03-20

      my goal was to find a quicker way to create a disk image if I had started Liveview using a physical drive and then needed to capture the image after initial review. What I do now is review it then capture it with ghostcast and copy it down and then generate another Liveview and then distribute the img and 2nd generated vm to the necessary group. Thxs.

       
      • Matthew Geiger

        Matthew Geiger - 2008-03-21

        Hmm. Depending on whether I have a correct picture of your environment in my head, the only way I can see of speeding up the process is if the group has access to the initially created disk image via a network share. If so, you could then just send them a VM config package set up to point to that shared image, rather than send the image and the VM config files.

         
    • Ralf Moll

      Ralf Moll - 2009-04-02

      Hi Don,

      you just have to create snapshots and clone the VMs.

      Have a look:

      * Make VMware take snapshots of Live View created VMs:
      http://www.forensic-geeks.org/PCs_virtualisieren/Workshop_IMF_2007/810_VMware_Tuning

      * Do full clones:
      http://www.forensic-geeks.org/PCs_virtualisieren/Workshop_IMF_2007/840_VMware_Portable

      Most times the clones are smaller than dd-images, because VMware copies only used diskspace.

      Any Comments?
      Reply here and to ralf.moll@lka.bwl.de

      Ralf

       

Log in to post a comment.