Hello all,
This is my first post on this great forum, been browsing for a while now, lately ive been facing a big problem that i cant solve so i decided to get some outside help ).
Problem
I have an Encase image, thats around 900GB, which contains 4 partitions of a Linux server, so far so good. After exploring for a while i found out 4 Parallels image in seperate folders (image below)
http//
The parallels files/images arent bootable, so i cant open them seperatly (out of the box) on virtualbox nor vmware.
Ive tried the qemu image convertion to RAW, but it didnt worked
( used the command
qemu-img.exe convert -f parallels -O raw root.hdd otput.dd
qemu-img.exe convert -f parallels root.hdd -O raw otput.dd
)
And after this im trying to open them on a OSX machine, but really dont have any hopes!
Is there any possible way to browser or to explore the content of this images?
Greets,
José Correia
It seems that the
Seemingly you already did the "right thing", your same approach has been reported to be working fine
http//articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/
http//
jaclaz
Chris_Ed
I've been looking for that tool for a few days, and till now no luck (
jaclaz
I've also followed those two articles, and also others reporting that sometimes the qemu comand doesnt work, and work arounds, but again with no luck (
Thx for the replys, if i can figure out something i will sure share it! And if anyone else have other tips or approachs i will be happy to try them.
Maybe it depends on the exact version of Qemu (and of Parallels) involved. ?
Or possibly (cannot say actually *how* or *why*) the parallels .hdd files are actually "partitions" and the Qemu expects intead a "whole disk" image.
BUt there are a lot of recent changes related to "parallels" in the source
http//
so it is possible that the version is important.
Can you post the contents of one of the DiskDescriptor.xml files?
They should look *like*
http//parallels-data-recovery-corrupt.blogspot.it/
jaclaz
Heres the DiskDescriptor.xml for the 20GB file
<?xml version="1.0"?>
<Parallels_disk_image>
<Disk_Parameters>
<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>
<Padding>0</Padding>
</Disk_Parameters>
<StorageData>
<Storage>
<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>
<Image>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<Type>Compressed</Type>
<File>root.hdd</File>
</Image>
</Storage>
</StorageData>
<Snapshots>
<TopGUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</TopGUID>
<Shot>
<GUID>{5fbaabe3-6958-40ff-92a7-860e329aab41}</GUID>
<ParentGUID>{00000000-0000-0000-0000-000000000000}</ParentGUID>
</Shot>
</Snapshots>
</Parallels_disk_image>
Hmmm. ?
At first sight I can see two things that look "strange" (and that may "confuse" a converting program)
<Disk_size>209715200</Disk_size>
<Cylinders>4577</Cylinders>
<Heads>16</Heads>
<Sectors>2863</Sectors>
These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.
As well
<Start>0</Start>
<End>209715200</End>
<Blocksize>2048</Blocksize>
Blocksize is usually 512 bytes (traditional hard disks) or 4096 (newer 4K format), as well never seen a hard disk with 2048 bytes/sector.
To those you add the
<Type>Compressed</Type>
which may (or may not) be supported by the qemu-img tool.
BUT re-reading one of the given links and this one
http//
it seems like the "source" should be a "stupidly long named" file with extension .hds (and not .hdd).
At a second glance, the image is coming NOT from parallels but from "vz" aka OpenVz which seemingly uses the same path/naming conventions
http//
Example
http//
It is entirely possible that those images are already "RAW" or maybe they are "ploop" 😯 (whatever this is)
http//
Maybe
https://
jaclaz
"ploop"?
Amazing.
"ploop"?
Amazing.
Naah, wait until you get to the Ballooning point
http//
and start inflating it, that is amazing wink .
jaclaz
These disks at least in theory, should follow "real" hard disk "standards".
Never seen a real hard disk having anything different from 63 as numbers of sectors.
They may be a bit old-fashioned now …
See http//