Qemu-img to convert...
 
Notifications
Clear all

Qemu-img to convert from E01 to VMDK

8 Posts
3 Users
0 Likes
6,904 Views
(@btforensics)
Posts: 14
Active Member
Topic starter
 

Hi Forensic Focus,

I am currently working on a case where I needed to convert an E01 file to a VMDK image. This is because we would like to replicate the issue by booting to the Windows Operating system.

I used the qemux-img tool of SIFT workstation
qemu-img convert -f raw -O vmdk /Volumes/Disk/rawdisk.img /Volumes/Disk/rawdisk.vmdk

It successfully converted to vmdk file.

However, when I try to boot the image with vmware 11, I am getting a blue screen error.

I've been trying all kinds of settings but keep on getting the same error.

I've also already tried converting to virtual box.

Any inputs will be appreciated.

Thank you so much forensic focus.

Regards,
BTForensics

 
Posted : 09/04/2017 10:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Well, you are using the "wrong" VM (or the "wrong" image). 😯

Basically 0x0000007b means "you are attempting to boot Windows without the appropriate driver for the boot hard disk" (the actual canonical message associated with it is "inaccessible boot device").

The VMware "virtual" hardware includes a specific type of (virtual) disk controller, your "real" hardware (the one on which the "real" disk actually booted) uses a different one.
Until - say - 2007 or 2008 (i.e. when disks were largely IDE/PATA) most "real" hardware image would boot without modifications in Qemu (which virtual hardware includes a "normal" IDE/PATA disk controller) with the advent of SATA (and of VM's like VMware) it has become impossible (or very difficult) to do the same without using a P2V tool (Physical to Virtual) which more or less does three things
1) removes the current hard disk controller driver from the (offline) image
2) injects the appropriate hard disk controller driver for the specific VM
3) generalizes (if needed) or disables other needed boot-time drivers and/or changes the HAL

Which EXACT version of the "Windows Operating System" is it?

jaclaz

 
Posted : 09/04/2017 11:10 pm
(@btforensics)
Posts: 14
Active Member
Topic starter
 

Hi Jaclaz,

As always, thank you for your very informative response.

The operating system of the machine is "Windows Server 2008 R2 Enterprise SP x64".

I am currently checking the P2V tool that you mentioned.

Thank you Jaclaz, Forensic Focus!

Regards,
BTForensics

 
Posted : 09/04/2017 11:41 pm
(@btforensics)
Posts: 14
Active Member
Topic starter
 

Hi Jaclaz,

The P2V tool worked! Thank you so much for your help! you rock!

Regards,
BTForensics

 
Posted : 10/04/2017 12:16 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Jaclaz,

The P2V tool worked! Thank you so much for your help! you rock!

Regards,
BTForensics

Good. )
Which specific tool did you use? (just for the record, so that other people in the same situation may repeat your success)
In the specific case of 2008 R2 (and 7), most probably it could also be done "by hand" since the driver is in the OS and it needs only to be "activated" by modifying a Registry entry
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1005208
though doing it "offline" is probably still a bit "tricky".

jaclaz

 
Posted : 10/04/2017 12:45 pm
(@btforensics)
Posts: 14
Active Member
Topic starter
 

Hi Jaclaz,

I used VMware P2V(Physical to Virtual) tool.
http//www.vmware.com/products/converter.html

Thanks again for your help!
BTforensics

 
Posted : 11/04/2017 11:03 pm
(@abelchew)
Posts: 1
New Member
 

Hi btforensics,

How do you go about mounting the E01 to VMware vcenter converter? Did you mount it using FTK imager? because I am unable to find the physical drive when I view it in vcenter.

Kindly assist.

 
Posted : 19/12/2017 9:22 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi btforensics,

How do you go about mounting the E01 to VMware vcenter converter? Did you mount it using FTK imager? because I am unable to find the physical drive when I view it in vcenter.

Kindly assist.

NO E01 image was mounted.

The E01 was seemingly (before and outside this thread) converted to RAW, and then converted to .vmdk

I used the qemux-img tool of SIFT workstation
qemu-img convert -f raw -O vmdk /Volumes/Disk/rawdisk.img /Volumes/Disk/rawdisk.vmdk

It successfully converted to vmdk file.

and later this .vmdk was modified to boot in the VM by the P2V tool.

This last passage is only needed if you actually want to boot the image in the VM, otherwise all you need is the conversion, via qemu-img, Virtualbox or similar of the RAW to vmdk or creating a .vmdk descriptor, which you can do even manually
https://www.forensicfocus.com/Forums/viewtopic/t=15861/

You can mount the E01 in FTK imager, or in Arsenal IMage Mounter
https://arsenalrecon.com/weapons/image-mounter/
then create a RAW image from it and then convert the RAW image to VMDK, or use xmount on Linux
https://www.forensicfocus.com/Forums/viewtopic/t=10663/

jaclaz

 
Posted : 19/12/2017 11:08 am
Share: