Hi Guys,
This is more of a high level "is it possible" question than a technical one.
Say I have a linux box and install Win XP on it via something like Sun's Virtualbox.
How easy/difficult/possible will it be to recover data used on the XP install?
Will normal data carving techniques work?
I'm thinking of testing something like this the weekend.
Give it a shot, and let us know…
Ok, I installed Windows 7 in Virtual box on Ubuntu.
Found my Windows7.vdi file (This is where Virtual Box stores your new OS)
I then scanned it with Scalpel v1.60 specifying only to carve for JPG files, as I created a simple JPG on the Win7 desktop to test.
Sure enough, it works, was able to carve 1566 Win7 system JPGs, including my file created in paint.
Will play around a bit more to see if I can view the original file structure.
Hi,
I do this on a regular basis when I teach Forensics at a distance.
Scalpel, Foremost and Photorec are great tools but none of them recover all the files you want, particularly if there is heavy fragmentation. They are best used on Unallocated Space when there is no other option.
Mounting the virtual disk is the best option and then you can grab active and deleted files with ease. To do this
1) Create a new virtual hard disk large enough to contain all the files you are going to carve out.
2) Attach this disk to the virtual machine
3) Point the CD drive to a forensic disk ISO (for preference I use the
4) Change the boot order in the VM to boot from the ISO
5) Create a partition on the new drive and mount it read-write
6) Copy/Carve files to the new partition from the old (or even create an image)
7) shut the machine down and re-attach the target drive to a VM that can export the files to the host machine or, like I do, have a virtual investigation machine.
A bit long winded I know, but it is a sure-fire way of recovering all the active and deleted files and the best chance of recovering files from Unallocated Space too.
Paul
Thanks for the reply Paul,
Will play around with that the weekend!
As I understand your question, you are not asking about carving the free space of a VM disk file, you are talking about carving the VM disk file to recover any files that would otherwise be active in the file system of the VM.
Most of the commercial tools already support VM disk files as image file formats. Which would only require you to export the .vdi or .vdmk files out of the hard drive image, and load them into EnCase, FTK or X-ways for analysis just like a disk image.
If you want a more traditional image of the disk file, export it, load it into FTK Imager, and create a DD or E01 of it.
As far as carving the free space of the VM disk, it should work without any hitch whatsoever, *if* the VM disk was set to allocate all of its space. In other words, an 8GB VM disk file is actually 8GB in size. Both VirtualBox and VMware allow you to make the disk file dynamic, meaning it may start at 2GB, but can expand up to 8GB. In this case, carving should still work, but it may be more problematic as the amount of free space in the disk file may be quite small.
Hi,
…
Scalpel, Foremost and Photorec are great tools but none of them recover all the files you want, particularly if there is heavy fragmentation. They are best used on Unallocated Space when there is no other option.…..
Paul
At Digital Assembly we have developed techniques to carve even heavily fragmented images - Adroit Photo Forensics. If anyone has fragmented images to carve and wants to try Adroit, please let me know. I can send an evaluation copy for free -)