Examination of VHD ...
 
Notifications
Clear all

Examination of VHD disks which were created by XenServer

Eugene_777
(@eugene_777)
New Member

Hello. I need help. I have the hard disk. I guess this disk has VHD disks (partition) which were created by XenServer (see screenshot ). I need to extract data or to create the image and to examine the image in X-Way and etc. If somebody encountered with it, help me, please.

Quote
Topic starter Posted : 11/07/2017 2:36 pm
jaclaz
(@jaclaz)
Community Legend

Hello. I need help. I have the hard disk. I guess this disk has VHD disks (partition) which were created by XenServer (see screenshot ). I need to extract data or to create the image and to examine the image in X-Way and etc. If somebody encountered with it, help me, please.

What is the sector you posted a picture of?
Is it the very last sector of the image?
It seems a lot like the "conectix" footer typical of static VHD's.

If this is the case, the image is a "plain" RAW image, with 4 partitions and seemingly FTK imager can see them alright, and the issue is the filesystem used, there is a reference in your screenshot to LVM2, which usually is complicated to explore in Windows.

Maybe ext2read can access that
https://sourceforge.net/projects/ext2read/

jaclaz

ReplyQuote
Posted : 11/07/2017 9:38 pm
Eugene_777
(@eugene_777)
New Member

jaclaz, honestly I don't know which sector showed on the screenshot. I just want to show partitions of the hard disk. I tried ext2read, but it won't to work with these partitions (Invalid End of sector markerBad Super Block. The drive is not ext2 formatted.No valid Ext2 Partitions found in the disk image.)
I figured out too long what is what and have figured out. Actually, it's the vhd disks virtual machines XenServer. I installed XenServer on the VMware, mounted my hard disk to VMware and I got 3 virtuals machine.() XenSenter allows exporting vhd disks of virtuals machine, but, unfortunately, it is exporting only obvious files and later I can't repair deleted files.

Maybe, somebody to know how to do it easier or know how to do exporting that could repair deleted files, tell me, please.

ReplyQuote
Topic starter Posted : 12/07/2017 4:57 pm
jaclaz
(@jaclaz)
Community Legend

jaclaz, honestly I don't know which sector showed on the screenshot.

Well, that is your problem.

I just want to show partitions of the hard disk.

You are attempting to go for a "push button" solution (please read as "take a shortcut"), I was trying to suggest you a analytical path to identify the format of the *whatever* you have in your hands.
This implies opening the image in a hex editor (you have X-Ways that is an excellent if not the best one around) and check known places, like first sector (usually the MBR) of the whole disk, first and last sector of each "partition", last sector of the disk (in the case of a VHD image the conectix footer) and go from there.
This info about VHD formats is not difficult to find
https://en.wikipedia.org/wiki/VHD_(file_format)
The link to the documentation is seemingly broken
http//technet.microsoft.com/en-us/library/bb676673.aspx
use the Wayback Machine
https://https://technet.microsoft.com/en-us/library/bb676673.asp x">web.archive.org/web/20160305141915/ https://technet.microsoft.com/en-us/library/bb676673.aspx
https://web.archive.org/web/20160415124646/http//download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc

jaclaz

ReplyQuote
Posted : 12/07/2017 7:47 pm
AmNe5iA
(@amne5ia)
Active Member

Just open the vhd in X-ways. No need to image.

ReplyQuote
Posted : 12/07/2017 11:10 pm
Eugene_777
(@eugene_777)
New Member

Just open the vhd in X-ways. No need to image.

It's not so simple. Disk (I mean VHD image) has freebsd zfs partition. I know only one method how to see information - connecting to VHD image virtual machine and run. But I don't know how repair deleted files on this case. I also don't know how to copy information from Virtual Machine. One of the way - share folder on the host machine, connect this folder on the guest machine and then copy data.

jaclaz, I'm trying to decide my task anyway, also "take a shortcut". As I said above, I identified that consist this hard disk. Now I need to know how to copy information and repair deleted files.

ReplyQuote
Topic starter Posted : 13/07/2017 8:21 pm
jaclaz
(@jaclaz)
Community Legend

Disk (I mean VHD image) has freebsd zfs partition.

http//forensicswiki.org/wiki/ZFS
https://www.joyent.com/blog/zfs-forensics-recovering-files-from-a-destroyed-zpool

https://www.forensicfocus.com/Forums/viewtopic/t=14220/

Now I need to know how to copy information and repair deleted files.

That might be appropriate in a data recovery scenario, not so much in a forensic one, you cannot really "copy" files without losing a large amount of information that may be vital for the forensic examination.

jaclaz

ReplyQuote
Posted : 13/07/2017 8:55 pm
Share:
Share to...