Quick Start Guide

Quick start Guide for virtual forensic computing with Forensic Explorer Live Boot

Follow this quick start guide of boot a forensic image file. A video of this process is available here: https://youtu.be/cVe1b5-j85M. For more information see chapter 27 of the Forensic Explorer User Guide installed with the software or available here.

Getting Ready

  1. Download and install Forensic Explorer from www.forensicexplorer.com/download.php (full dongle version only).
  2. Download and install Mount Image Pro from www.mountimage.com. A reboot is required.
  3. Download and install VMWare Workstation or Player from https://my.vmware.com/web/vmware/downloads.

To Live Boot a Forensic Image

  1. Run Forensic Explorer with administrator user permissions.
  2. In the Evidence module, click the Add Image button to select and add the forensic image file. Click OK in the Evidence Processor window to add the evidence.
  3. Change to the File System module and ensure that the file system (the file and folder structure) of the image is displayed.
  4. In the toolbar of the File System module, click the Live Boot button. The Live Boot Options window will open:

  5. Live Boot Options

  6. In the Boot Options tab, check the Detected OS to determine if a Windows Operating System has been located for the image file.
  7. In the Settings tab, check that VMWare and Mount Image Pro paths are correctly displayed.
  8. From the Boot Options tab, click OK to launch Live Boot. Monitor the progress bar to determine the status of the launch. Mount Image Pro will automatically run and mount the image file:

  9. Mount Image Pro

  10. Then the virtual machine will launch:

  11. Live Boot Running in VMware

  12. If the bypass passwords option was selected, click on a Windows user account and log in using a blank password.