Caveat* – While I have verified this technique to be forensically sound by MD5 and SHA1 hash comparisons, I make no guarantees that this techniques would be permitted in a court of law. You should consult your attorneys before using this technique with evidence that is, or may become, part of a legal investigation.

Recently I had a need to boot a hard drive that my department received as part of an internal investigation. The drive was large, and although I could have created a bit-for-bit image of the disk with DD, I did not have the storage space available. Also, creating images of large disks is very time consuming. So, I set out to find a way to boot the hard drive as read only media with the changes being written either to memory or a temporary location. VirtualBox turned out to have the exact tools that I need to accomplish this task, and so, here is a quick write-up on how to do just that.

IMPORTANT: Before you connect your physical media (USB/IDE/SATA/etc), make sure you host OS is configured to NOT automount the media!

Instructions on how to create a VBox Guest from physical media without writing changes to the physical media (forensically)

1. Step 1. – This write-up assumes the OS will be linux. You will need to add a user to the “disk” group (it should be the user who launches VirtualBox). You can do that with this command:
   sudo usermod -a -G disk <username>
   Note: The user will need to logoff and log back on for the group change to take effect
2. Step 2. – Create a VMDK file and register it in VBox with the following command:VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/sda -register
   Note: Path to new VMDK file must be absolute.
3. Step 3. – *IMPORTANT* Before you create the VM Guest with this new VMDK as a virtual disk, you must set the disk type to immutable so that changes will not be written back to the physical disk.
   VBoxManage modifyhd <VMDK file> --type immutable
4. Step 4. – Create the VM and add the new VMDK disk in the Virtual Media Manager as the primary storage. Here you can configure all the options as you would while creating a normal VBox guest.
5. Step 5. – (Optional but Recommended) If you want the changes you make while booted into the VM Guest to be persistent you will need to configure the autoreset on the differencing disk to ‘off.’ This will be important if you need to make changes to the system before you can boot (i.e. blanking out the admin password or disabling drives that cause the system to crash). You can do this with the following commands:
   
   First you must identify the UUID of the differencing disk.
   VboxManage list hdds
   The differencing disk will have a parent UUID which is the same as the VMDK disk you created earlier. Once you locate the UUID of the differencing disk, execute this command to change the autoreset value:
   VboxManage modifyhd <UUID> --autoreset off
6. Step 6. – Boot your VM Guest and go!

Final Note: When booting Windows systems like this, you may encounter a BSOD caused by a problem with the intelppm.sys driver. You can boot the windows VM into safe mode and disable the loading of this driver by modifying the registry key

• HKLM\system\currentcontrolset\services\processor or
• HKLM\system\current\controlset\services\intelppm

Change the value of ’start’ to ‘4′.