Hello,
We have a Mac OSX drive with Parallels Desktop for Mac installed, several of which are running Windows XP. We need to be able to forensically examine these XP Parallels, but cannot/don't want to start them up. How would I go about getting a forensic image (or at least analyzing) the XP Parallels?
Thanks
Parallels comes with a file browser that allows access to the the VM container in OS X without actually running the VM. The problem is that the VM containers can change size and write over areas in unallocated space. You also can only browse 'live' files with this technique.
A good intial apporach would be to make a hashed copy of the VM container. If you have access to a Mac use the Parallels native VM browser that was installed with Parallels and do a triage of the containers.
I have never tried this, but I am going to see if Encase can read a Parallels VM. I know it can see VMware containers but I have never tried a Parallels one.
Ok, I didn't think you could drop a Parallels VM into Encase and view it, like you can with a Virtual Machine .vmdk file
Ok, I didn't think you could drop a Parallels VM into Encase and view it, like you can with a Virtual Machine .vmdk file
I don't know that Encase will see a Parallels container. I have access to Vmware, Vmware Fusion and Parallels at home so I am going to try it out to see what happens. It may be that you have to convert the Parallels container first with the Fusion software as if you were importing a Parallels VM into Fusion.
If the virtual machines have virtual CD drives, attach a forensic ISO and boot from that … then image just like a physical machine using LINEN/DD. This certainly works in VMWare.
i wrote a blog entry about this last week.. davnads.blogspot.com
join my blog i need followers!
i wrote a blog entry about this last week.. davnads.blogspot.com
join my blog i need followers!
One of the things I'm trying to do with my blog is post the blog content to here and to reference these forums when appropriate. It supports FF, people are more willing to comment here, and there are more readers of FF than we'll ever get for our blogs so if you want eyeballs, they're here.
-David
If the virtual machines have virtual CD drives, attach a forensic ISO and boot from that … then image just like a physical machine using LINEN/DD. This certainly works in VMWare.
Does this modify the 'container' file? I know the mounted virtual drive might not get touched as it would 'mount' as -r but the VM containing the machine could be touched. That was the basic idea behind the development of LiveView which runs VMs built from write-protected dd images.
Just came across this, it might be useful.
http//
If the virtual machines have virtual CD drives, attach a forensic ISO and boot from that … then image just like a physical machine using LINEN/DD. This certainly works in VMWare.
Does this modify the 'container' file? I know the mounted virtual drive might not get touched as it would 'mount' as -r but the VM containing the machine could be touched. That was the basic idea behind the development of LiveView which runs VMs built from write-protected dd images.
Correct, liveview with read only will preserve the container file. Not using such method will modify the container file.
Personally, I'm typically never worried about modifying the container file because I'm not working on the original container. I export a working copy out of the image and work on that. What liveview and other similar software do not do is prevent the system from changing, the virtual machine will get changed when you boot it up, attach an ISO, and other similar tasks. It's just part of the price you pay for a live acquisition
In one of the methods I outlined in my blog entry you can convert the Parallels image to a raw disk format and then mount it in Encase like a vmdk file. In this this case you don't need to even boot the thing.