Parallels image - H...
 
Notifications
Clear all

Parallels image - HELP!

11 Posts
4 Users
0 Likes
1,185 Views
(@jcgcorreia)
Posts: 3
New Member
Topic starter
 

Hello all,

This is my first post on this great forum, been browsing for a while now, lately ive been facing a big problem that i cant solve so i decided to get some outside help ).

Problem

I have an Encase image, thats around 900GB, which contains 4 partitions of a Linux server, so far so good. After exploring for a while i found out 4 Parallels image in seperate folders (image below)

http//s1.postimg.org/ta92zxhxr/ftk_img.png

The parallels files/images arent bootable, so i cant open them seperatly (out of the box) on virtualbox nor vmware.
Ive tried the qemu image convertion to RAW, but it didnt worked

( used the command
qemu-img.exe convert -f parallels -O raw root.hdd otput.dd
qemu-img.exe convert -f parallels root.hdd -O raw otput.dd
)

And after this im trying to open them on a OSX machine, but really dont have any hopes!

Is there any possible way to browser or to explore the content of this images?

Greets,
José Correia

 
Posted : 05/12/2014 4:53 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

It seems that the Parallels Image Tool allows you to convert it to a "raw" image (the "Convert to plain" option). I can't find anywhere to download it though - there are a few links but they don't look like official sources. Maybe you could contact them?

 
Posted : 05/12/2014 8:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Seemingly you already did the "right thing", your same approach has been reported to be working fine
http//articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/
http//www.appleexaminer.com/MacsAndOS/Analysis/HowTo/VirtDiskConv/VirtDiskConv.html

jaclaz

 
Posted : 05/12/2014 8:41 pm
(@jcgcorreia)
Posts: 3
New Member
Topic starter
 

Chris_Ed

I've been looking for that tool for a few days, and till now no luck (

jaclaz

I've also followed those two articles, and also others reporting that sometimes the qemu comand doesnt work, and work arounds, but again with no luck (

Thx for the replys, if i can figure out something i will sure share it! And if anyone else have other tips or approachs i will be happy to try them.

 
Posted : 05/12/2014 9:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe it depends on the exact version of Qemu (and of Parallels) involved. ?

Or possibly (cannot say actually *how* or *why*) the parallels .hdd files are actually "partitions" and the Qemu expects intead a "whole disk" image.

BUt there are a lot of recent changes related to "parallels" in the source
http//git.qemu.org/?p=qemu.git&a=search&h=d00e6cddc220de993573dfb5fd160ac72ccd49ab&st=commit&s=parallels
so it is possible that the version is important.

Can you post the contents of one of the DiskDescriptor.xml files?

They should look *like*
http//parallels-data-recovery-corrupt.blogspot.it/

jaclaz

 
Posted : 05/12/2014 10:52 pm
(@jcgcorreia)
Posts: 3
New Member
Topic starter
 

Heres the DiskDescriptor.xml for the 20GB file


<?xml version="1.0"?>
<Parallels_disk_image>
<Disk_Parameters>
<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>
<Padding>0</Padding>
</Disk_Parameters>
<StorageData>
<Storage>
<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>
<Image>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<Type>Compressed</Type>
<File>root.hdd</File>
</Image>
</Storage>
</StorageData>
<Snapshots>
<TopGUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</TopGUID>
<Shot>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<ParentGUID>{00000000-0000-0000-0000-000000000000}</ParentGUID>
</Shot>
</Snapshots>
</Parallels_disk_image>

 
Posted : 05/12/2014 11:52 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hmmm. ?

At first sight I can see two things that look "strange" (and that may "confuse" a converting program)

<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>

These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.

As well

<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>

Blocksize is usually 512 bytes (traditional hard disks) or 4096 (newer 4K format), as well never seen a hard disk with 2048 bytes/sector.

To those you add the

<Type>Compressed</Type>

which may (or may not) be supported by the qemu-img tool.

BUT re-reading one of the given links and this one
http//vanappdeveloper.com/2013/07/04/converting-parallels-vm-to-linux-kvm/
it seems like the "source" should be a "stupidly long named" file with extension .hds (and not .hdd).

At a second glance, the image is coming NOT from parallels but from "vz" aka OpenVz which seemingly uses the same path/naming conventions
http//wiki.openvz.org/Main_Page
Example
http//forum.openvz.org/index.php?t=msg&goto=51400&

It is entirely possible that those images are already "RAW" or maybe they are "ploop" 😯 (whatever this is)
http//openvz.org/Man/ploop.8

Maybe
https://pve.proxmox.com/wiki/Vzctl_manual

jaclaz

 
Posted : 06/12/2014 12:52 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

"ploop"?

Amazing.

 
Posted : 06/12/2014 3:10 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

"ploop"?

Amazing.

Naah, wait until you get to the Ballooning point
http//openvz.org/Ploop/readme#Ballooning
and start inflating it, that is amazing wink .

jaclaz

 
Posted : 06/12/2014 7:06 pm
(@athulin)
Posts: 1156
Noble Member
 

These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.

They may be a bit old-fashioned now …

See http//www.narf.ssji.net/~shtrom/docs/hdd/chs.htm for a list of actual drives with sectors/tracks from 17 and up. The word 'common' in the title is a bit of an exaggeration, though, at least nowadays.

 
Posted : 06/12/2014 7:54 pm
Page 1 / 2
Share: