Here's the scenario: I have a Windows Vista VMWare virtual machine with the disk drive broken into multiple .vmdk files, which I wanted to mount in a Linux VM for forensic analysis. Things started off easily enough . . .
Step 1: Combine .vmdk files into one using VMWares' Virtual Disk Development Kit tool, vmware-diskmanager. This comes included (I think) with VMWare Workstation and Fusion. I had to pull down the free VDDK from VMWare. I did this on a Windows box, but you could do it in Linux as well.
c:\> c:\VDDK\bin\vmware-vdiskmanager.exe -r <path to master .vmdk file> -t 2 <full path to target location, with filename>
eg:
c:\> c:\VDDK\bin\vmware-vdiskmanager.exe -r ...\Desktop\VistaVM\VirtualDisk.vmdk -t 2 ...\Desktop\temp\Vista.vmdk
Step 2: Convert monolithic .vmdk to raw disk image file using qemu-img (on Linux system). First I copied the file over to a Linux VM, the issued the following:
# qemu-img convert -O raw /media/thumbdrive/Vista.vmdk ~/images/diskimg.raw
At this point I thought I could mount the drive . . .
# mount -o loop,ro,show_sys_files,streams_interface=windows -t ntfs /root/diskimg.raw /mnt/windows_mount
NTFS signature is missing.
Failed to mount '/dev/loop2': Invalid argument
The device '/dev/loop2' doesn't seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?
Hmmm . . . no luck. I tried a couple of other things (tried to use kpartx to split out partitions and used ntfsck to check the health of the image file. No love with either of those.
Then I hit upon the requirement to identify the location of the boot drive using the -offset flag in mount. This is something I have done before, but again, my forensics is rusty.
Step 3: To find the offset, we must use fdisk to find start sector (mount point):
# fdisk -l diskimg.raw
Disk diskimg.raw: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x9eba1015
Device Boot Start End Blocks Id System
diskimg.raw1 * 2048 20969471 10483712 7 HPFS/NTFS/exFAT
So the boot device starts at sector 2048 and the sectors are 512 bytes in size. The offset is, therefore, (2048 * 512) = 1048576. Now we can go about mounting the dirve:
# mount -o loop,ro,show_sys_files,streams_interface=windows,offset=1048576 -t ntfs /root/diskimg.raw /mnt/windows_mount
And voila - the drive is mounted! Now lets do some forensicating.
No comments:
Post a Comment