Linux VM acquisitio...
 
Notifications
Clear all

Linux VM acquisition

8 Posts
5 Users
0 Likes
1,297 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

The case is about suspicious system failure or disruption by unauthorised system update. One of the evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descriptor. As you could see that there is no vmx. What will you do so as to find important clue inside this VM?

Mount that flat vmdk and export disk image? It sounds good but unfortunately forensic tools such as EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk. Let's see if forensic tools could see another vmdk in my Linux VM. The OS of this vm is CentOS 7. Still got the same error as below. You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/5905510.html

 
Posted : 25/09/2016 8:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A flat vmdk is already a RAW image.
http//forensicswiki.org/wiki/VMWare_Virtual_Disk_Format_(VMDK)
http//sanbarrow.com/vmdk/disktypes.html
http//sanbarrow.com/vmdk-basics.html

jaclaz

 
Posted : 25/09/2016 6:47 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi Jaclaz,

Not that simple. You could use EnCase or FTK to add a Linux vmdk as evidence, and you will know what's going on.

 
Posted : 27/09/2016 10:52 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Is it a test VMDK or one from a case?
If the former, I would be interested in having a look at it.

 
Posted : 27/09/2016 1:24 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Jaclaz,

Not that simple. You could use EnCase or FTK to add a Linux vmdk as evidence, and you will know what's going on.

EXACTLY that simple.

A flat vmdk is already a RAW image.
You DO NOT mount a RAW image to dd from it a RAW image, it makes NO sense whatsoever.
Of course you CAN do it, still it is a totally unneeded complication and a perfect way to lose time.
IF it is NOT a "flat" vmdk then it is another thing.

jaclaz

 
Posted : 27/09/2016 2:16 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Apparently one individual have reading disabilities and need to learn to be quiet.

unfortunately forensic tools such as EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk.

To the OP

Use the proper tools to access VMDK files.

One way is to use this command to mount the VMDK file, then image it
vmware-mount X “C\Path\To\File.vmdk”
More info
https://pubs.vmware.com/vsphere-50/topic/com.vmware.vddk.utils.doc_50/diskutils_mount.4.3.html
(Looks like it's part of vSphere Center)

You could also use the diskmount utility, this one is for Linux, but i think i saw one for Windows as well.
VMWare Diskmount utility (Linux)

Here is an old version for VMWare Workstation 5 you could try
https://my.vmware.com/web/vmware/details?productId=47&downloadGroup=WKST-550-DISK-MOUNT-UTL

If that doesn't work, get a trial version of Workstation (x64) for 30 days and you'll get the latest tool.

 
Posted : 28/09/2016 3:05 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk.

Well, i had a similar case last week (on Windows….) and was successful with the free FTK Imager. Just mount the physical disc and all partitions/ logical drives inside get a unique drive letter automatically and are mounted in read-only. AFAIK OSFMount is capable of this, too.

best regards,
Robin

 
Posted : 28/09/2016 3:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

AFAIK OSFMount is capable of this, too.

Yes and no.
OFSmount (like IMDISK) will mount the volume(s), not the PhysicalDrive (whole disk).

Arsenal Image Mounter (same Author as IMDISK) is one tool suitable to mount the whole physicaldrive from a RAW image (or from a flat.vmdk, which is a RAW image) and all kinds of common VM disk formats (including all types of .vmdk's) through the use of discutils library
https://arsenalrecon.com/apps/image-mounter/

In many cases there is no need to access "hidden sectors" and "unpartitioned space", but if there is this need, then you need a driver/tool capable of accessing the whole range and not just the partitioned space/volumes.

jaclaz

 
Posted : 29/09/2016 12:08 am
Share: