Parallels image - H...
 
Notifications
Clear all

Parallels image - HELP!

jcgcorreia
(@jcgcorreia)
New Member

Hello all,

This is my first post on this great forum, been browsing for a while now, lately ive been facing a big problem that i cant solve so i decided to get some outside help ).

Problem

I have an Encase image, thats around 900GB, which contains 4 partitions of a Linux server, so far so good. After exploring for a while i found out 4 Parallels image in seperate folders (image below)

http//s1.postimg.org/ta92zxhxr/ftk_img.png

The parallels files/images arent bootable, so i cant open them seperatly (out of the box) on virtualbox nor vmware.
Ive tried the qemu image convertion to RAW, but it didnt worked

( used the command
qemu-img.exe convert -f parallels -O raw root.hdd otput.dd
qemu-img.exe convert -f parallels root.hdd -O raw otput.dd
)

And after this im trying to open them on a OSX machine, but really dont have any hopes!

Is there any possible way to browser or to explore the content of this images?

Greets,
José Correia

Quote
Topic starter Posted : 05/12/2014 3:53 pm
Chris_Ed
(@chris_ed)
Active Member

It seems that the Parallels Image Tool allows you to convert it to a "raw" image (the "Convert to plain" option). I can't find anywhere to download it though - there are a few links but they don't look like official sources. Maybe you could contact them?

ReplyQuote
Posted : 05/12/2014 7:39 pm
jaclaz
(@jaclaz)
Community Legend

Seemingly you already did the "right thing", your same approach has been reported to be working fine
http//articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/
http//www.appleexaminer.com/MacsAndOS/Analysis/HowTo/VirtDiskConv/VirtDiskConv.html

jaclaz

ReplyQuote
Posted : 05/12/2014 7:41 pm
jcgcorreia
(@jcgcorreia)
New Member

Chris_Ed

I've been looking for that tool for a few days, and till now no luck (

jaclaz

I've also followed those two articles, and also others reporting that sometimes the qemu comand doesnt work, and work arounds, but again with no luck (

Thx for the replys, if i can figure out something i will sure share it! And if anyone else have other tips or approachs i will be happy to try them.

ReplyQuote
Topic starter Posted : 05/12/2014 8:13 pm
jaclaz
(@jaclaz)
Community Legend

Maybe it depends on the exact version of Qemu (and of Parallels) involved. ?

Or possibly (cannot say actually *how* or *why*) the parallels .hdd files are actually "partitions" and the Qemu expects intead a "whole disk" image.

BUt there are a lot of recent changes related to "parallels" in the source
http//git.qemu.org/?p=qemu.git&a=search&h=d00e6cddc220de993573dfb5fd160ac72ccd49ab&st=commit&s=parallels
so it is possible that the version is important.

Can you post the contents of one of the DiskDescriptor.xml files?

They should look *like*
http//parallels-data-recovery-corrupt.blogspot.it/

jaclaz

ReplyQuote
Posted : 05/12/2014 9:52 pm
jcgcorreia
(@jcgcorreia)
New Member

Heres the DiskDescriptor.xml for the 20GB file


<?xml version="1.0"?>
<Parallels_disk_image>
<Disk_Parameters>
<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>
<Padding>0</Padding>
</Disk_Parameters>
<StorageData>
<Storage>
<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>
<Image>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<Type>Compressed</Type>
<File>root.hdd</File>
</Image>
</Storage>
</StorageData>
<Snapshots>
<TopGUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</TopGUID>
<Shot>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<ParentGUID>{00000000-0000-0000-0000-000000000000}</ParentGUID>
</Shot>
</Snapshots>
</Parallels_disk_image>

ReplyQuote
Topic starter Posted : 05/12/2014 10:52 pm
jaclaz
(@jaclaz)
Community Legend

Hmmm. ?

At first sight I can see two things that look "strange" (and that may "confuse" a converting program)

<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>

These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.

As well

<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>

Blocksize is usually 512 bytes (traditional hard disks) or 4096 (newer 4K format), as well never seen a hard disk with 2048 bytes/sector.

To those you add the

<Type>Compressed</Type>

which may (or may not) be supported by the qemu-img tool.

BUT re-reading one of the given links and this one
http//vanappdeveloper.com/2013/07/04/converting-parallels-vm-to-linux-kvm/
it seems like the "source" should be a "stupidly long named" file with extension .hds (and not .hdd).

At a second glance, the image is coming NOT from parallels but from "vz" aka OpenVz which seemingly uses the same path/naming conventions
http//wiki.openvz.org/Main_Page
Example
http//forum.openvz.org/index.php?t=msg&goto=51400&

It is entirely possible that those images are already "RAW" or maybe they are "ploop" 😯 (whatever this is)
http//openvz.org/Man/ploop.8

Maybe
https://pve.proxmox.com/wiki/Vzctl_manual

jaclaz

ReplyQuote
Posted : 05/12/2014 11:52 pm
Chris_Ed
(@chris_ed)
Active Member

"ploop"?

Amazing.

ReplyQuote
Posted : 06/12/2014 2:10 pm
jaclaz
(@jaclaz)
Community Legend

"ploop"?

Amazing.

Naah, wait until you get to the Ballooning point
http//openvz.org/Ploop/readme#Ballooning
and start inflating it, that is amazing wink .

jaclaz

ReplyQuote
Posted : 06/12/2014 6:06 pm
athulin
(@athulin)
Community Legend

These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.

They may be a bit old-fashioned now …

See http//www.narf.ssji.net/~shtrom/docs/hdd/chs.htm for a list of actual drives with sectors/tracks from 17 and up. The word 'common' in the title is a bit of an exaggeration, though, at least nowadays.

ReplyQuote
Posted : 06/12/2014 6:54 pm
jaclaz
(@jaclaz)
Community Legend

They may be a bit old-fashioned now …

Well, the "now" is - like beauty - in the eye of the beholder.

Since the FIRST CHS limit was hit
http//www.pcguide.com/ref/hdd/bios/size.htm
http//www.pcguide.com/ref/hdd/bios/sizeMB504-c.html
and INT 13h was used, disks have been manufactured with a "virtual" setting of 63 sectors, this happened around 1993/94, at a time where sizes larger that 500 Mb were started being delivered, but even in 1995 a "common" hard disk size still rarely reached that size (*anything* would be running DOS or Windows 3.1/3.11), the "revolution" was introduced when Windows 95 was released, systems delivered near the end of 1995 started having larger disks, but anyway the "63" sectors were common since before.

My statement should have been "Never seen a real hard disk having anything different from 63 as numbers of sectors in the last 20 years or so".

In any case, the MBR partition table entry does not allow for anything more than 63, even the old IDE/ATA topped at 256, and 2863 😯 sectors seem a bit too much ….

jaclaz

ReplyQuote
Posted : 06/12/2014 8:16 pm
Share:
Share to...