by Nanni Bassetti
Sometimes during a computer forensic investigation, we need to virtualize our image disk, because it could be useful for checking or finding something of interest.
If we need to virtualize a disk image file, we can:
- Convert the image file in VDI/VMDK
- Use GNU/Linux and XMount
The first point is very space and time consuming, indeed if we have a disk image of 1Tb in size, we need another 1Tb to store the VDI/VMDK virtual disk for feeding our Virtual Machine and the conversion process is time wasting.
In GNU/Linux we can use XMount which is very comfortable because we don’t need to convert the image file in Virtual Disk file format, it “allows you to convert on-the-fly between multiple input and output harddisk image types. Xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image.“
“In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.“
If we are working in MS Windows, we don’t have a corresponding tool, so I decided to study a method to do it.
The steps are these:
- We need to have a Physical disk in Windows, starting from a disk image file.
- We need the virtual write access redirected to an external cache file, for not changing the image file.
- We need a special command for creating a virtual representation of the input image for an on-the-fly conversion.
All those points can be reached by manually running some tools and commands:
- We have to run VirtualBox to create a VM with no disk.
- We need to run Arsenal Image Mounter, because it can mount an image file as a real Physical disk in Windows and it can mount in write mode saving the changes in an external cache file.
- We need to put offline the mounted disk for avoiding the write attempts, those fail during the boot of the V.M..
- We need the VBoxManage command to create the VMDK file on-the-fly.
All those steps can be done manually launching tools and writing commands, but I know that people are bored doing it that way, so I made a GUI using Lazarus to automate it.
Pressing the first button we can create an empty V.M. and we name it (e.g. testvm).
Pressing the second button we run Arsenal Image Mounter and we have to mount in this way:
Then we have to put OFFLINE the image disk just mounted, using the Windows command DISKPART
Type LIST DISK, see the disk number of your mounted disk image file (e.g. number 2) and then write SELECT DISK number (e.g. SELECT DISK 2). Now put the disk offline by typing OFFLINE DISK.
And now let’s create the virtual VMDK disk, this is the manual procedure, but Imm2Virtual can do it for you simply writing the disk name you chose and the physical disk number.
‘”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” internalcommands createrawvmdk -filename ‘ ‘”C:\Users\USER_NAME\VirtualBox VMs\DISK_NAME\DISK_NAME.vmdk” -rawdisk \\.\PhysicalDriveX’
where
USER_NAME is your user name, Windows account.
DISK_NAME is the name you chose for your virtual machine.
PhysicalDriveX is the Physical Drive where Arsenal Image Mounter has mounted your disk image file. (e.g. PhysicalDrive2).
Finally we can add our new brand VMDK disk to our Virtual Machine and run it!
Imm2Virtual is an Open Source program. https://github.com/nannib/Imm2Virtual
Author
Nanni Bassetti – http://www.nannibassetti.com
Digital Forensics consultant
Nice use of the “discardable writes” with Arsenal Image Mounter.
Most probably the vboxmanage is unneeded, it should just create a .vmdk descriptor file pointing to the physicaldrive, similar to what has been discussed here:
https://www.forensicfocus.com/Forums/viewtopic/t=15861/
Only of the type “fulldevice”:
http://sanbarrow.com/vmdk/disktypes.html#fullDevice