Create a deaddisk configuration (remapping) file, which can then be used to run
a virtual client with the --remap flag.
The deaddisk command currently only supports Windows disk images and folders.
deaddisk [<flags>] <output>
Create a deaddisk configuration
--hostname="Virtual Host" The hostname to impersonate
--add_windows_disk=ADD_WINDOWS_DISK
Add a Windows Hard Disk Image
--offset=-1 The offset of the partition inside the disk
--add_windows_directory=ADD_WINDOWS_DIRECTORY
Add a Windows mounted directory
Args:
<output> Output file to write config on
For this command, either --add_windows_directory or --add_windows_disk is
required.
Examples:
velociraptor deaddisk --add_windows_disk ./WinDev2404Eval.vmdk remapping.yaml
or
velociraptor deaddisk --add_windows_directory /media/mnt/windows_c_drive/ remapping.yaml
and then
velociraptor client -c ./client.config.yaml --remap ./remapping.yaml
See Dead disk Forensics for more information.