• What is Live View?
• Wont Booting The Image Destroy Evidence?
• How Do I Run Live View?
• What Image Formats Does Live View Handle?
• What Types of Imaged Systems Can Be Booted?
• What if I Only Have an Image of the Bootable Partition and Not the Entire Disk?
• Does Live View Handle Split Images?
• Does Live View Support Dual Boot Images?
• What Do I Need To Run Live View?
• How Do I Make The Virtual Machine Feel Less Sluggish?
• Why Can't I Access The Internet From The Virtual Machine?
• How Can I Transfer Files To And From The Virtual Machine Without Internet Access?
• Why Am I Being Asked To Install Drivers for New Hardware?
• Why Am I Being Asked To Activate The Target OS?
• How Do I Remove All My Changes And Start From Scratch Again?
• I Have a Feature Request, Who Do I Contact?
• Does Live View Require Admin Privileges To Run?

What is Live View?

• Live View is a tool that allows disk images or physical drives to be booted up in a virtual machine and examined in a forensically sound manner.

Won't Booting The Image Destroy Evidence?

• No, Live View redirects all changes to a scratch file leaving the original image untouched. Live View works just fine on images set as read-only and will even alert the user if the image they are booting is not set as such. One can also run a cryptographic checksum on the image before and after booting with Live View to verify the integrity of the evidence.

How Do I Run Live View?

• First install Live View by double-clicking the installer. It will check your system for all of the requirements and install them as necessary. When the installation completes, you should be able to simply double-click the Live View icon on your desktop to start the program.

What Image Formats Does Live View Handle?

• Live handles exact bit-for-bit (raw) images of disks such as those created with 'dd'. Live View is also capable of booting physical disks (not images) attached to the computer directly or via a USB or FireWire bridge. Other image formats (such as EnCase) are not directly supported, but can be booted as physical disks with the use of third party image mounting software such as Mount Image Pro or Physical Disk Emulator. Images can also often be converted to standard bit-for-bit images. For example, the FTK Imager http://www.accessdata.com/support/ can convert Encase images into a standard DD image for use with Live View.

What Types of Imaged Systems Can Be Booted?

• Windows Server 2008
• Windows Vista
• Windows XP
• Windows 2000
• Windows Server 2003
• Windows NT (Partial Support)
• Windows Me
• Windows 98
• Linux (Partial Support)

• While the above has been verified, we have both a limited set of hardware and system images with which to test Live View. We would love receive your feedback on what types of images have worked, failed, and what types you would like to see supported in the future.

What if I Only Have an Image of the Bootable Partition and Not the Entire Disk?

• No problem. Live View will automatically detect this and build a Master Boot Record for your partition allowing it to boot.

Does Live View Handle Split Images?

• Yes, simply select all of the chunks in the browse dialog by using Ctrl + Click. Live View sorts the chunks by their file extensions so be sure that the chunks have either numerically or alphabetically ordered file extensions.

Does Live View Support Dual Boot Images?

• Yes, there is full support for the primary operating system on the machine and partial support for the secondary operating system. If you need to boot the secondary OS, simply choose the primary OS in the Live View dropdown menu and wait for the OS selection screen to come up while the system is booting. From there, select to boot the secondary OS. In some cases, you may experience a blue screen error which will be fixed once full dual boot support is implemented.

What Do I Need To Run Live View?

• VMware Server 1.x Full Install* (Free Download) or VMware Workstation 5.5+ (30 Day Trial)
• Java Runtime Environment (http://www.java.com/getjava/)
• VMware Disk Mount Utility, part of the VDDK (http://www.vmware.com/support/developer/vddk/)
• A Microsoft Windows Machine (XP, 2000, 2003, Vista, 2008, etc)
• Some Bit-for-Bit Disk Images

How Do I Make The Virtual Machine Feel Less Sluggish?

• Virtual Machines are inherently slower than their hardware counterparts. You can, however, make them feel more responsive by installing VMware Tools. To do so, wait until the Virtual Machine boots and then from the VMware Menu select VM->Install VMware Tools. This will require a reboot of the VM.

Why Can't I Access The Internet From The Virtual Machine?

• The virtual Ethernet device is purposely disabled to prevent any malware on the virtual machine from spreading or communicating with external hosts once the image has booted.

How Can I Transfer Files To And From The Virtual Machine Without Internet Access?

• One way to transfer files between the Virtual Machine and host computer is to install VMware Tools. To do so, wait until the Virtual Machine boots. On the VMware menu, click VM->Install VMware Tools. Follow the installation wizard to completion. When the installation finishes, you will be required to reboot the Virtual Machine. For quick one time copies, a USB storage device is probably the most convenient option. Insert the device while the Virtual Machine has the focus and on the VMware menu, click VM->Removable Devices->USB Devices and select your USB device. You should also be able to read and transfer files from the CD Drive inside the virtual machine.

Why Am I Being Asked To Install Drivers for New Hardware?

• Operating Systems typically install drivers for the specific set of hardware on which the OS was originally installed. Similar to taking the disk out of one system and booting it up inside a system with different hardware, a virtual machine's virtual hardware will not often match the hardware on which the system was originally installed. For this reason, the OS will attempt to install the missing drivers for that new hardware. If you are prompted for an install CD you may be able to simply hit cancel and continue booting.

Why Am I Being Asked To Activate The Target OS?

• Windows activation is often triggered by "significant" hardware changes in the machine. Weights are assigned to various pieces of hardware and thresholds are set for things like RAM size to determine what is considered a change worthy of requiring reactivation. When booting the target image, Windows may detect VMware's virtual hardware (or lack thereof in the case of the NIC) as a significant hardware change and may require reactivation to log in. For most systems you will be given a grace period which can subsequently be reset an infinite number of times by re-launching the machine "from scratch." Some systems (such as XP without any service packs) may provide no grace period in which case you may need to reactivate the OS. Also, by setting the input parameters for Live View (such as RAM size) to match the original hardware as closely as possible, you may decrease the probability of triggering the Windows activation process. More information about Windows activation can be found in the Microsoft Product Activation FAQ.

How Do I Remove All My Changes And Start From Scratch Again?

• If you are working on a system and decide you would like to revert back to the original, click the red stop button in the VMware window and close VMware. Go back to Live View and enter in the new options you would like to use and hit the start button. When prompted to continue where you left off or start over, simply select start over and the original image will boot back up without all of the changes that you made while working with it previously.

I Have a Feature Request, Who Do I Contact?

• We would love to hear your feedback on what is useful, what needs to improve, and what you would like to see in future releases of Live View. The best way to make such reqests is to post to the Forums. You may also Email your requests and comments to the addresses on the Contact page

Does Live View Require Admin Privileges To Run?

• Yes, unfortunately Live View requires Administrator privileges to run. This is because it performs a number of necessary admin only operations (i.e. temporarily loading and unloading registry hives on the host system) in preparing an image to boot in the virtual environment.

* Server 2.x is NOT supported currently.