Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

by Nanni Bassetti

Sometimes during a computer forensic investigation, we need to virtualize our image disk, because it could be useful for checking or finding something of interest.

If we need to virtualize a disk image file, we can:

  1. Convert the image file in VDI/VMDK
  2. Use GNU/Linux and XMount

The first point is very space and time consuming, indeed if we have a disk image of 1Tb in size, we need another 1Tb to store the VDI/VMDK virtual disk for feeding our Virtual Machine and the conversion process is time wasting.

In GNU/Linux we can use XMount which is very comfortable because we don’t need to convert the image file in Virtual Disk file format, it “allows you to convert on-the-fly between multiple input and output harddisk image types. Xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.

If we are working in MS Windows, we don’t have a corresponding tool, so I decided to study a method to do it.

The steps are these:

  1. We need to have a Physical disk in Windows, starting from a disk image file.
  2. We need the virtual write access redirected to an external cache file, for not changing the image file.
  3. We need a special command for creating a virtual representation of the input image for an on-the-fly conversion.

All those points can be reached by manually running some tools and commands:

  1. We have to run VirtualBox to create a VM with no disk.
  2. We need to run Arsenal Image Mounter, because it can mount an image file as a real Physical disk in Windows and it can mount in write mode saving the changes in an external cache file.
  3. We need to put offline the mounted disk for avoiding the write attempts, those fail during the boot of the V.M..
  4. We need the VBoxManage command to create the VMDK file on-the-fly.

All those steps can be done manually launching tools and writing commands, but I know that people are bored doing it that way, so I made a GUI using Lazarus to automate it.

Imm2Virtual

Pressing the first button we can create an empty V.M. and we name it (e.g. testvm).
Pressing the second button we run Arsenal Image Mounter and we have to mount in this way:

Then we have to put OFFLINE the image disk just mounted, using the Windows command DISKPART

 

Type LIST DISK, see the disk number of your mounted disk image file (e.g. number 2) and then write SELECT DISK number (e.g. SELECT DISK 2). Now put the disk offline by typing OFFLINE DISK.

And now let’s create the virtual VMDK disk, this is the manual procedure, but Imm2Virtual can do it for you simply writing the disk name you chose and the physical disk number.

‘”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” internalcommands createrawvmdk -filename ‘ ‘”C:\Users\USER_NAME\VirtualBox VMs\DISK_NAME\DISK_NAME.vmdk” -rawdisk \\.\PhysicalDriveX’

where

USER_NAME is your user name, Windows account.
DISK_NAME is the name you chose for your virtual machine.
PhysicalDriveX is the Physical Drive where Arsenal Image Mounter has mounted your disk image file. (e.g. PhysicalDrive2).

Finally we can add our new brand VMDK disk to our Virtual Machine and run it!

Imm2Virtual is an Open Source program. https://github.com/nannib/Imm2Virtual 

Author
Nanni Bassetti – http://www.nannibassetti.com
Digital Forensics consultant

1 thought on “Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File”

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles