Join Us!

Notifications
Clear all

Examining VDI files  

  RSS
randomaccess
(@randomaccess)
Active Member

Has anyone had any luck examining VDI files?
I've got two that I can add to a VM and load them up (but then I'm faced with a password screen). However I cant figure out a way to view the file system using a forensic suite (ie encase).

At best I've managed to get it to see one of the partitions but its not the ext3/4 partition im looking for.

ive tried to use vboxmanage converttoraw option to no avail
the only other thing i can think of is get a live cd going on the vm and imaging it
any other suggestions?

Quote
Posted : 23/07/2013 3:52 pm
minime2k9
(@minime2k9)
Active Member

How about QEMU-IMG on linux?

http//www.dedoimedo.com/computers/virtualbox-convert.html

ReplyQuote
Posted : 23/07/2013 4:00 pm
jaclaz
(@jaclaz)
Community Legend

Just like .vhd and .vmdk, there are SEVERAL different formats for .vdi.
A "static" file can be converted to "RAW" without any difficulties, but if it's one of the "dynamic" ones, then it's another matter.

There are tools under Linux
http//libguestfs.org/

Under windows there is the Commercial WinMount
http//www.winmount.com/mount_vdi.html

And the Free Imdisk
http//www.ltr-data.se/opencode.html/
http//reboot.pro/forum/59-imdisk/
that in recent versions supports "all" or "almost all" the VDI, VHD and VMDK types, see
http//reboot.pro/topic/18324-imdisk-toolkit/
Actually, the support is provided by DiscUtilsDevio, see Faq #8 here
http//reboot.pro/topic/15593-faqs-and-how-tos/
Please consider how Imdisk will anyway access the volume (and NOT the "whole disk").
THe mentioned IMDISK Toolkit may make the mounting easier.

There is a "derived work" from Imdisk, "forensics oriented" by Passmark
http//www.osforensics.com/tools/mount-disk-images.html
though it doesn't seem like it is supporting the .VDI format, being "connected" with Imdisk it is possible that it can manage Discutilsdevio too. ?

And here there is a tool
https://forums.virtualbox.org/viewtopic.php?p=31276#31276
to convert a "dynamic" vdi inot a (sparse file backed) "static" one.

As always, YMMV. 😯

jaclaz

ReplyQuote
Posted : 23/07/2013 5:54 pm
cosimo
(@cosimo)
New Member

You can also mount it with FTK Imager, that is able to mount it both as a physical disk and as logical volumes (if Windows supports the file systems installed on the various partitions).
After that, you can use your forensic tool of choice to inspect/acquire it.

ReplyQuote
Posted : 23/07/2013 6:53 pm
randomaccess
(@randomaccess)
Active Member

thanks guys

i've tried a number of different ways to get around this and have had no luck

tried converting the file to static and then throwing it into various forensic tools; no luck
tried to replace the /etc/shadow file with one id crafted myself (manually; this was a painful hex editing process) - but didnt work
tried konboot/boot disk to access the volume and no luck

it appears that the vdi file contains three partitions; one contains an EFI and upon entering the correct password boots one of the others. The one that I think contains all the data, and makes references to using LVM; overall i'm stumped at trying to get into this thing.

ReplyQuote
Posted : 25/07/2013 8:06 am
minime2k9
(@minime2k9)
Active Member

Ah LVM,s, I've been struggling with them recently, see if this article helps you

http//pissedoffadmins.com/os/mount-unknown-filesystem-type-lvm2_member.html

Helped me get into the volume.

ReplyQuote
Posted : 25/07/2013 12:31 pm
HexDrugsRockNRoll
(@hexdrugsrocknroll)
Member

My first suggestion would have been to use a live CD. Also (by chance) I've seen a VBoxManage command in the Malware Analyst's Cookbook this morning which is supposed to convert to a raw image

VBoxManage clonehd SUSPECT.vdi SUSPECT.dd –format RAW

Good luck.

ReplyQuote
Posted : 25/07/2013 3:00 pm
jaclaz
(@jaclaz)
Community Legend

thanks guys

i've tried a number of different ways to get around this and have had no luck

tried converting the file to static and then throwing it into various forensic tools; no luck
tried to replace the /etc/shadow file with one id crafted myself (manually; this was a painful hex editing process) - but didnt work
tried konboot/boot disk to access the volume and no luck

it appears that the vdi file contains three partitions; one contains an EFI and upon entering the correct password boots one of the others. The one that I think contains all the data, and makes references to using LVM; overall i'm stumped at trying to get into this thing.

Wait a minute.
What has Konboot to do with ext3/4 partitions ?
What is/was the Operating system installed to that VDI image?
What "generates" the password screen?
Is that the Windows Logon?
Konboot is - if I recall correctly - not good/not working on Windows 64 bit.

jaclaz

ReplyQuote
Posted : 25/07/2013 6:07 pm
randomaccess
(@randomaccess)
Active Member

two linux vms
both have passwords

file carves found pictures of interest
but i need to find a way to get into the OS or examine the OS file system

konboot works for win/osx, i saw something that said it might allow me into a linux OS so tried that.
the OS's are debian based if i recall.

i can get three partitions up except one of them shows me the EFI and hte others are seen as unallocated space.

ReplyQuote
Posted : 28/07/2013 9:43 am
jaclaz
(@jaclaz)
Community Legend

konboot works for win/osx, i saw something that said it might allow me into a linux OS so tried that.

Ok, so that was just a "desperate" attempt.

There are currently TWO SEPARATE versions of Konboot.

First is for Windows NT based systems ONLY (starting from XP).
Second, which is actually "konboot for mac", is for Mac OSx, this one has been released only recently.

They work with completely different approaches.

And there is a LOT of confusion.
The tool was INITIALLY released as Free software (that would be version 1.0)
and later became Commercial.

The original Free version did BOTH Windows systems and some Linuxes
http//www.linuxsolutions.fr/kon-boot/
but only the original version
http//web.archive.org/web/20080718171828/http//piotrbania.com/all/kon-boot/

Which exact version did you try?

two linux vms
both have passwords

Let's tackle one at the time.

i can get three partitions up except one of them shows me the EFI and hte others are seen as unallocated space.

Get them up where (which OS, which VM if any, etc.) and in what do you see "the EFI" (what do you mean by "the EFI", the EFI protective MBR?).

jaclaz

ReplyQuote
Posted : 28/07/2013 6:16 pm
randomaccess
(@randomaccess)
Active Member

Ill have to answer those questions when I'm back to work in a couple weeks.
Thanks jaclaz

ReplyQuote
Posted : 29/07/2013 3:58 am
Share: