Mounting virtual hard drives
Download as PPTX, PDF1 like19,772 views
Virtual machines allow multiple operating systems to run simultaneously on a single host machine by virtualizing system resources. Common virtual machine programs include Microsoft Virtual PC, Microsoft XP Mode, Oracle VirtualBox, and VMWare. Virtual machine hard drives are typically large files in a format like VHD, VDI, or VMDK that contain the guest operating system and data. FTK Imager can mount these drives to allow forensic analysis of their contents.
Mounting virtual hard drives
- 2. Common in today’s computing environment Allow the user to run multiple, self contained operating systems on one hardware host machine The virtual machine utilizes the host machine’s resources (RAM, network interface, etc) Data can be transferred between the host and the virtual machine
- 4. Microsoft Virtual PC – typically has a “*.vhd” hard drive extension Microsoft XP Mode - typically has a “*.vhd” hard drive extension Oracle Virtualbox - typically has a “*.vdi” hard drive extension VMWare - typically has a “*.vhd” or “vmdk” hard drive extension
- 5. Virtual hard drive files are typically large in size. Usually two files are associated with the virtual machine Virtual hard drive file – contains the O/S and data Virtual machine settings file – provides the virtual machine’s configuration settings when used on the host machine
- 7. FTK Imager 3.0 and newer versions have the ability to mount forensic images and virtual hard drives. Images can be mounted as mapped drives on the computer Physical virtual hard drives and their logical partitions can be mounted. Mounted by using the “FileImage Mounting” within FTK Imager
- 8. Images can be mounted as “read only”
- 11. If you mount the virtual hard drive and you see the “unrecognized file system”, use Virtualbox’s internal commands to convert the hard drive to a raw format.
- 13. Extract the “vdi” file from the forensic image to a location on your hard drive: Open a command prompt window and navigate to the VirtualBox folder (typically c:Program FilesOracleVirtualBox). Run the following command against the “vdi” file you wish to convert (no quotes in the command line): vboxmanage.exe internalcommands converttoraw "xpath-to- vdi-filevdifilename.vdi" "x:path-to-output- foldervdifilename.raw“ Conversion time will vary depending on the size of the “VDI file. It is recommended you have twice the amount of drive space available as is the size of the “vdi” file since you are converting to an uncompressed “raw” format.
- 17. Virtual hard drive shows up as a physical drive on the system. The drive can then be imaged again and compared via hashing to ensure everything was captured.