Join Us!

Boot a DD into a Vi...
 
Notifications
Clear all

Boot a DD into a Virtual Machine with VirtualBox  

  RSS
infosecwriter
(@infosecwriter)
New Member

I know it's been about 10 years since my last post. I didn't think it was that long until I saw the time stamp. I used to use liveview. Now, no need really. Just need a disk large enough for the VDI or VMDK.

In this episode of Just the Tip, we will use VirtualBox to convert a forensic raw dd copy using DCFLDD into a VMDK file that can be booted into either VirtualBox or VMWare. The VBOXManage syntax used in this example is

VboxManage.exe convertfromraw IWC-Lab-17082017.dd IWC-Lab.vmdk –format vmdk

This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.

Here is the vid demo https://youtu.be/NhZPixwlVFQ

Quote
Posted : 15/09/2017 2:28 am
jaclaz
(@jaclaz)
Community Legend

This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.

There is no actual *need* to convert the image (just for the record).

All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.

There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
http//sanbarrow.com/vmdk/disktypes.html
http//sanbarrow.com/vmdk/disktypes.html#monolithicFlat

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//reboot.pro/topic/8480-clonedisk/
http//labalec.fr/erwan/?page_id=42

And it is also instantaneous.

Another dedicated tool (compiled AutoIt script) is here (via Wayback Machine)
https://web.archive.org/web/20130324051431/http//sanbarrow.com/phpBB2/viewtopic.php?t=1162

https://web.archive.org/web/20130324051431/http//sanbarrow.com/moa23/files/oh_dear_I_lost_my_descriptor.zip

jaclaz

ReplyQuote
Posted : 15/09/2017 11:54 am
infosecwriter
(@infosecwriter)
New Member

thanks for the info

ReplyQuote
Posted : 16/09/2017 5:47 pm
infosecwriter
(@infosecwriter)
New Member

All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.

There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
http//sanbarrow.com/vmdk/disktypes.html
http//sanbarrow.com/vmdk/disktypes.html#monolithicFlat

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//reboot.pro/topic/8480-clonedisk/
http//labalec.fr/erwan/?page_id=42

Does this also work with VirtualBox? I know LiveView did the same thing for VMware, but you had to download the VMware developer toolkit for the drivers. It did not work for VBox

ReplyQuote
Posted : 16/09/2017 5:52 pm
infosecwriter
(@infosecwriter)
New Member

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//reboot.pro/topic/8480-clonedisk/
http//labalec.fr/erwan/?page_id=42
jaclaz

This method does not seem to work with VirtualBox. It must be a VMWare only item.

"Could not get the storage format of the medium 'E\IWC-Lab\IWC-Lab\test.vmdk' (VERR_NOT_SUPPORTED).

Result Code
VBOX_E_IPRT_ERROR (0x80BB0005)
Component
MediumWrap
Interface
IMedium {4afe423b-43e0-e9d0-82e8-ceb307940dda}
Callee
IVirtualBox {0169423f-46b4-cde9-91af-1e9d5b6cd945}
Callee RC
VBOX_E_OBJECT_NOT_FOUND (0x80BB0001)
"

ReplyQuote
Posted : 17/09/2017 12:37 am
jaclaz
(@jaclaz)
Community Legend

This method does not seem to work with VirtualBox. It must be a VMWare only item.
"

Maybe something has changed in recent Virtualbox. 😯

It is a bit of time I don't update, I have running an old 4.1 version and it accepts these files just fine.

I seem to remember some small quirks (like Virtualbox wanting some particular field in the descriptor file and ignoring some other ones), but cannot really recall the details.

Surely there is (was) an issue with accessing images when operating with a Virtualbox instance open and for some reasons Virtualbox scans the root of the folder where the virtual machine or however adds the "known" images to a sort of database and this can produce every kind of error about duplicates, inaccessible files and what not.

Anyway, make this test.

Use this (saved as Mytest10Mb.vmdk) in *any* directory outside the VM one

# Disk DescriptorFile
version=1
CID=61968b17
parentCID=ffffffff
createType="monolithicFlat"

# Extent description
RW 20160 FLAT "Mytest10Mb-flat.vmdk" 0

# The disk Data Base
#DDB

ddb.virtualHWVersion = "4"
ddb.adapterType="ide"
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
ddb.uuid.parent="00000000-0000-0000-0000-000000000000"
ddb.uuid.modification="00000000-0000-0000-0000-000000000000"
ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
Create in the same directory a file named "Mytest10Mb-flat.vmdk" (filled with 00) 10321920 bytes in size.

Start the VirtualBox and try adding the Mytest10Mb.vmdk under the IDE controller.

What happens?

Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.

jaclaz

ReplyQuote
Posted : 17/09/2017 7:03 pm
jaclaz
(@jaclaz)
Community Legend

Did a few checks.

For some stupid reason the VirtualBox parser doesn't like the initial

# produced by CloneDisk

(probably it wants the file to start with "# Disk DescriptorFile" and/or the programmer that wrote it didn't understand tat lines with # can be comment lines.

Then, for some reasons you have to add to the file

ddb.uuid.image="00000000-0000-0000-0000-000000000001"

or *any* uuid.

Then it will mount OK.

As well, using the SanBarrow tool you need to add the

ddb.uuid.image="00000000-0000-0000-0000-000000000001"

AND remove any space before the CR+LF (or just LF) at the end of each line.

It is very possible that different VirtualBox versions have a better (or worse) parser for .vmdk descriptor file, though.

jaclaz

ReplyQuote
Posted : 17/09/2017 8:28 pm
Mreza
(@mreza)
Member

StarWind V2V Converter

ReplyQuote
Posted : 18/09/2017 11:16 am
infosecwriter
(@infosecwriter)
New Member

What happens?

Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.

jaclaz

Thank you for the suggestion. I am traveling through client sights this week. I will try this when I get back and let you know.

ReplyQuote
Posted : 19/09/2017 9:50 pm
jaclaz
(@jaclaz)
Community Legend

Good,in the meantime I could do a few more experiments, with interesting results.
The VirtualBox parser (at least in the verison I have) is "queer".
You don' t really *need* most of the fields that the tools (originally made and surely working with VMWare) actually produce.

The bare minimum is as follows

# Disk DescriptorFile
version=1
createType=
RW <size in sectors> FLAT "<filename>" 0
ddb.uuid.image="<UUID>"

Just for the fun of it I made a small batch to create both the "minimal" and the "canonical" version.

@ECHO OFF
SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION

IF %1.==. GOTO Error
SET SRFull="%~dpnx1"
IF NOT EXIST %SRFull% GOTO Error

SET SRName="%~nx1"
SET SRPath=%~dp1

get size of Source in bytes
SET SRSize=%~z1

get size of Source in 512 bytes sectors
CALL to_sectors %SRSize%

make a NOT really random 16 bytes string to be used as CID and as ddb.uuid.image
SET HexChar=0123456789ABCDEFF
SET Rand8=
FOR /L %%A IN (1,1,32) DO (
SET /a _rand=!RANDOM! %% 17
CALL to_hexchar
SET Rand8=!Rand8!!_rand!
)

SET ddb.uuid.image="%Rand8~0,8%-%Rand8~8,4%-%Rand8~12,4%-%Rand8~16,4%-%Rand8~20,12%"
SET CID=%Rand8~1,2%%Rand8~5,2%%Rand8~9,2%%Rand8~13,2%

Now the fun part, the parser of VirtualBox requires only a small subset of the data that
is normally in a .vmdk descriptor file and in any case there is no need of setting the geometry
and other ddb. fields apart from the ddb.uuid.image
So, the following allows to change from the "canonical" version to the shorter one, UNREM
the one that you choose
CALL canonical
REM CALL minimal
GOTO EOF

canonical
ECHO # Disk DescriptorFile
ECHO version=1
SET CID
ECHO parentCID=ffffffff
ECHO createType="monolithicFlat"
ECHO.
ECHO # Extent description
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
ECHO.
ECHO # The disk Data Base
ECHO #DDB
ECHO.
ECHO ddb.virtualHWVersion = "4"
ECHO ddb.adapterType="ide"
SET ddb.uuid.image
ECHO ddb.uuid.parent="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.modification="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
GOTO EOF

minimal
ECHO # Disk DescriptorFile
ECHO version=1
ECHO createType=
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
SET ddb.uuid.image
GOTO EOF

to_sectors
SET Number=%1
FOR /L %%B IN (1,1,9) DO (
CALL divideby2
IF "0"=="!Result~0,1!" SET Result=!Result~1!
IF NOT DEFINED Result SET Result=0
SET Number=!Result!
)
SET SRSizeBlocks=%Result%
EOF

divideby2
SET Result=
Get length of number
FOR /L %%A IN (14,-1,1) DO (
SET Part=!Number~0,%%A!
IF !Part!==%Number% SET Length=%%A
)
SET Carry=0
FOR /L %%A IN (0,1,%Length%) DO (
IF %%A==%Length% GOTO EOF
SET /A digit=10*!Carry!+!Number~%%A,1!
SET /A divdigit=!digit!/2
SET /A Carry=!digit!-!divdigit!-!divdigit!
SET Result=!Result!!divdigit!
)
GOTO EOF

to_hexchar
SET _rand=!HexChar~%_rand%,1!
GOTO EOF

Error
ECHO DOn't you like when all you get is
ECHO an Error occurred!
PAUSE
GOTO EOF
Virtualbox generates the ddb.geometry fields on its own, and as well once mounted it adds some of the other fields.

It is very possible that VmWare actually *needs* some of the fields I omitted, though.

jaclaz

ReplyQuote
Posted : 20/09/2017 12:30 pm
Share: