Issue: When using PDE mount and VMWare results are mixed this alternative would be applied when the primary PDE mount method fails.

Create a standard (typical) WinXP Pro image in VMWare (latest version), select
"Edit virtual machine settings"



Chose add and select Hard Disk. This second blank drive will receive the restore image from EnCase.











Change the Disk size (GB): to a size larger than the evidence drive to be restored.





Add the newly created blank destination drive as the second IDE on your virtual forensic box.



Start the virtual machine.



NOTE: The EnCase program does not see the EnCase dongle on the host and will start in Acquisition mode. A parallel dongle is seen when parallel is enable on the virtual image.

Install the HASP drivers on the virtual machine.



Select removable settings as noted below and select the USB EnCase HASP dongle.



Vmware will switch control of the HASP to the virtual machine. EnCase will no longer have full functionality on the host system until the VM shutdown or the USB is virtually unplugged.



EnCase is now fully functional in the VM box.



Enter VM Settings… menu and extablish a shared connection to the drive and folder
holding your .e0* image.





















Prepare to load the image in the virtual EnCase.











Now that the image loaded and verified start the restore process.



Select the blank virtual drive created earlier.







Once the restore is completed create a new virtual box specific to the restored OS and select the imaged .vmdk disk as the primary IDE. Start the new VM machine and you are good to go (most of the time).