Sunday, September 27, 2015

Mounting NTFS .vmdk file in Linux for Forensic Analysis

Okay, so my forensics is a little rusty and this one left me scratching my head.

Here's the scenario:  I have a Windows Vista VMWare virtual machine with the disk drive broken into multiple .vmdk files, which I wanted to mount in a Linux VM for forensic analysis.  Things started off easily enough . . .

Step 1: Combine .vmdk files into one using VMWares' Virtual Disk Development Kit tool, vmware-diskmanager.  This comes included (I think) with VMWare Workstation and Fusion.  I had to pull down the free VDDK from VMWare.  I did this on a Windows box, but you could do it in Linux as well.

c:\> c:\VDDK\bin\vmware-vdiskmanager.exe -r <path to master .vmdk file> -t 2 <full path to target location, with filename>


c:\> c:\VDDK\bin\vmware-vdiskmanager.exe -r ...\Desktop\VistaVM\VirtualDisk.vmdk -t 2 ...\Desktop\temp\Vista.vmdk

Step 2: Convert monolithic .vmdk to raw disk image file using qemu-img (on Linux system).  First I copied the file over to a Linux VM, the issued the following:

# qemu-img convert -O raw /media/thumbdrive/Vista.vmdk  ~/images/diskimg.raw

At this point I thought I could mount the drive . . .

# mount -o loop,ro,show_sys_files,streams_interface=windows -t ntfs /root/diskimg.raw /mnt/windows_mount

NTFS signature is missing.
Failed to mount '/dev/loop2': Invalid argument
The device '/dev/loop2' doesn't seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?

Hmmm . . . no luck.  I tried a couple of other things (tried to use kpartx to split out partitions and used ntfsck to check the health of the image file.  No love with either of those.

Then I hit upon the requirement to identify the location of the boot drive using the -offset flag in mount.  This is something I have done before, but again, my forensics is rusty.

Step 3: To find the offset, we must use fdisk to find start sector (mount point):

# fdisk -l diskimg.raw 

Disk diskimg.raw: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9eba1015

      Device Boot      Start         End      Blocks   Id  System
diskimg.raw1   *        2048    20969471    10483712    7  HPFS/NTFS/exFAT

So the boot device starts at sector 2048 and the sectors are 512 bytes in size.  The offset is, therefore, (2048 * 512) = 1048576.  Now we can go about mounting the dirve:

# mount -o loop,ro,show_sys_files,streams_interface=windows,offset=1048576 -t ntfs /root/diskimg.raw /mnt/windows_mount

And voila - the drive is mounted!  Now lets do some forensicating.

No comments:

Post a Comment