Create Virtual Machine from Encase image

First make sure your disk image is in raw format. Either Encase already stores it in raw format or it will be able to export it in raw format.

For VirtualBox you can use the vboxmanage command with the convertfromraw option. This converts your disk image to a format that is readable for Virtualbox.

Make sure you always mount a copy of your image in a real or virtual machine, so your original image isn't compromised.

Next you can create a Virtual machine using the converted image as primary disk (to boot from it) or use any forensics OS and mount the disk in the VM for further inspection.

Finally I found three links that might be usefull:

• VirtualBox running Encase file
• VirtualBox - convert RAW image to VDI and otherwise
• Mounting E01 images of physical disks in Linux Ubuntu 12.04

To do virtual reconstruction (using an existing .e01 or .dd/.img), I do the following:

• use Access data's ftk imager (version 3 or later) to mount the image (windoze) or you can use mount image pro to do the same
• To convert a raw image to vmdk, I have used the following tool and it works well - http://sourceforge.net/projects/raw2vmdk/ (FYI, to do the opposite, convert vmdk to dd.
• You can use VFC (Virtual forensic computing -http://www.virtualforensiccomputing.com/) which will create the virtual image for you. Depending on partition layout, find the active boot partition. Generate the VM and then you can open the .vmx using vmware player or workstation.
• This will allow you to convert the .e01 or dd/img image into a .vmdk, boot it up using vmware, and then do application analysis on any app you want via the reconstructed .e01 to .vmdk.