Live Boot FAQ
» What is Live Boot?
Live Boot is part of GetData's Forensic Explorer software (www.forensicexplorer.com). Live Boot, in concert with Mount Image Pro and VMWare can boot a forensic image or physical disk containing a Windows or Unix file system.
» Which Disk Formats are supported by Live Boot?
Live Boot currently supports:-
- Physical disks; and
- Forensic images in E01, EX01, DD or similar forensic format format.
Note: A disk or image must be mounted with Mount Image Pro (included with Forensic Explorer); and currently a forensic image must be of the physical disk and contain an MBR (images of logical volumes are not currently supported).
» Do you offer training/certification?
Yes. Live boot is covered in the 3 day Forensic Explorer Examiner course (see http://www.forensicexplorer.com/training.php).
» How do I get past a Windows logon?
In the Live Boot options window there is a check-box to bypass Windows passwords. The password is replaced with a blank, so you will need to login via the user icon and hit enter to submit the blank password. Note that more complex Windows 8 and Windows 10 passwords cannot be currently by-passed.
There is also the option to boot via an ISO image, so other programs, including password cracking tools can be run over the virtual machine.
» Can I get a trial version?
Yes. Contact us for a 60 day dongle and an online demonstration.
» What Operating Systems can be booted?
Live Boot has been tested on Windows versions from Windows 95 to Windows 10.
» What do I need to run Live Boot?
- Forensic Explorer full version (dongle activated);
- Mount Image Pro;
- VMWare Workstation or VMWare Player (free for non commercial use).
Visit the download page to download the setup files.
Forensic Explorer and Mount Image Pro should be run with administrator level privileges.
It is recommended that Forensic Explorer Live Boot be run on a PC with at least 8GB of RAM.
» Do I need to have Mount Image Pro?
Yes. Live Boot will only work with Mount Image Pro. A license for Mount Image Pro is included on your Forensic Explorer dongle.
» How Do I Use Live Boot?
Live Boot is simple to use. Follow the instructions in this Quick Start Guide, or refer to the Forensic Explorer User guide for more information.
» What limitations does Live Boot have?
Live Boot will successfully boot almost all disks that contain a valid Windows file system. The password bypass may not be successful on Windows computers with more complex passwords seen in Windows 8 and Windows 10.
» Will booting an image with Live Boot alter the evidence?
No. In the background Mount Image Pro is dynamically caching disk writes. The original forensic image files cannot be changed.
IMPORTANT: In accordance with standard forensic practice, physical disks must be hardware write blocked before connection to your forensic workstation.
» Is it possible to boot an image of a logical Windows volume, e.g. an image of the C:\ drive?
No. Live Boot currently supports the boot of a physical disk image only (an MBR must be present). Logical partition boot is under development.
» Does Live Boot support multi-boot systems?
No. Multi boot support will be added in the future.
» Can I access the Internet from the New Virtual Machine?
No. Live Boot disables by default the ability for the virtual machine to access the internet. Advanced users can reconfigure this option but it is not recommended.
» Can I transfer data between the New Virtual Machine and my own System?
Yes. The most common way of doing this is to install VMWare tools. One of the functions is the ability to copy files from the host to the virtual machine. There is also the option in Live Boot to add multiple disks into a Live Boot session. Not only can this be used to add additional disks from the suspects machine, but it can also be used as a means by which you can quickly make a suite of your own tools available inside the VMWware session.
» I am prompted to activate Windows?
Older versions of Windows may prompt you for activation. There are tips and techniques well published online to help you address this problem.
» I need support!
We are happy to work with you to solve any issues. Please get in touch with GetData via the contact links on this page.
» I am looking for VFC by MD5?
GetData no longer sell VFC by MD5. Contact firstname.lastname@example.org.