Tuesday, April 24, 2012

ShadowKit - Working with Disk Images

ShadowKit – Working with Disk Images
Guide v1 - Mounting an image.

The easiest and best way to access Windows 7's Volume Shadow Copies with ShadowKit is an easy three step process that should work in 9 out of 10 cases.

Step 1
Export your image to a single raw image file (akadd). Do not split the file in to segments. Creating a single raw image can be done using numerous tools such as FTKImager or Encase among others. Just don't be a dope and try to make a single dd image on a fat32 partition.
*Why a single dd? See Tip 3 below.

Step 2
Run vhdtool.exe (free from Microsoft). This will alter the image so back it up if you want an unaltered version. vhdtool.exe will insert/append a footer in to your image so that it will now be recognized as a VHD image format by Windows 7.

The command to convert the image will look something like this:
"vhdtool.exe /convert image.dd"

Step 3
Mount the image by opening up the Management Console -> DiskManagement. Wait about 10-20 seconds for Disk Management to load up all the info about the current drives, until that time the VHD features will be greyed out (not selectable).
*If you don't like my guide for mounting VHD files there are numerous others available on the web.

Attach the image by right clicking on Disk Management and selecting Attach VHD. Be sure to check “Read-Only”.

VoilĂ , the image is mounted and ready to be used in ShadowKit

Some Tips

Tip 1
When you run ShadowKit you will see a drop-down with a list of computer names associated with the Shadow Copies. You can choose to filter out local shadow copies if you wish to avoid annoyance/confusion, after clicking the check box just choose refresh from the menu and local shadows will not be shown.

Tip 2
If you already have ShadowKit running before mounting an image just select refresh from the menu bar at the top.

Tip 3
Mounting an image with FTKImager or MountImagePro will not work properly. Anyone tested this with Encase Modules?

Tip 4
When you are done using the mounted VHD you can un-mount the image through Disk Management.

No comments:

Post a Comment