Friday, August 28, 2009

Mounting Parallels HDD and HDS files

During examination of a Mac Laptop, I located a file similar to winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds. Further digging revealed that Parallels Workstation was installed and used on this computer and virtual machines have been later deleted. I found a good link that explains how to deal with .hds files. I then searched for .pvs files and DiskDescriptor.xml and was lucky to find a couple of DiskDescriptor.xml files. On of these files contained GUID 5fbfaae3-6747-49ff-82a7-750e329bcb51 and stated that the virtual disk is compressed. The rest was easy. I renamed winxp.hdd.0.{5fbfaae3-6747-49ff-82a7-750e329bcb51}.hds to winxp.hdd, went to Start -> All Programs -> Parallels and fired up Parallels Image Tool which was installed by default together with Parallels Workstation. With this tool I converted winxp.hdd to plain hard disk image, which took only a few minutes.

I then used my favorite free tool called ImDisk to mount the converted hard disk image. Default settings worked fine and ImDisk was able to mount 'converted.hdd' file in read-only mode.

Edit: The new version of Parallels Image Tool uses a little bit different GUI. Converting to the plain format is now done by going to "Manage disk properties" option. The quote "The perfect is the enemy of the good." from Voltaire's Dictionnaire Philosophique (1764) is quite relevant in this case because the latest version may not always successfully convert "old" HDS files, so do not yet through away/uninstall your old version of Parallels.

Saturday, August 15, 2009

Quick notes

VirtualBox dynamic disks (VDI).

Analysing VirtualBox VDI files can be sometimes tricky. It is not a problem when VDI file has header type 2, which means that you are dealing with a fixed disk. Searching for partitions with forensic tools such as EnCase or my all times favourite X-Ways Forensics makes the examination no different to examining ordinary dd or E01 files. MakeSparseVDI that comes with VirtualBox can parse information from the VDI header and partition table. This information can be used to mount fixed VDI files with ImDisk, normally by pointing it to the partition start, which is usually located at offset 73728.

The old version of VirtualBox used to have a nice utility called vditool that could carve out the raw disk image. There is a good write-up in 'Forensic Incident Response' blog about VirtualBox analysis. There were several updates since that time and vditool is no longer present and has been replaced with VBoxManage. The later can convert raw images to VDI but not the other way around. (As it turned out this is not the case. See below for details. VirtualBox help doesn't have this inforamtion. This site is more useful .)

Dynamic disks have value 1 at offset (decimal) 76 and they are not so easy to work with. Unlike flat volume images (fixed disks), dynamic disks cannot be mounted with the above mentioned tools. The only tool/method that worked for me was WinMount. It mounted VirtualBox dynamic disks with no problems. The tool has read-only option that is enabled by default in WinMount V3.2. It also capable of mounting VHD (Virtual hard disk) and VMDK (VMWare), comes with 30 days trial period and cost $61.24 AUD.

Evgueni Tchijevski posted an easier way to deal with VDI disks - vboxmanage internalcommands converttoraw source destination. It works great, thanks Evgueni.

Acquiring RAM on latest Ubuntu or Fedora becomes a little bit problematic.

/dev/mem is now protected by default. "The CONFIG_STRICT_DEVMEM kernel option was introduced to block non-device memory access."

/dev/kmem is disabled by setting CONFIG_DEVKMEM to 'n'.

RAM acquisition via FireWire option looks really attractive now. There are two topics however that I am not prepared to discuss in this blog, and these topics are FireWire RAM acquisition and Encryption.

My favourite quotes about digital forensics and security by Richard Drinkwater and Richard Bejtlic.

Richard Drinkwater

"I don't validate my tools - I validate my results."

Richard Bejtlic

"The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena."


Both hit the nail on the head!

Tuesday, August 4, 2009

Digital Contamination

Using your mobile on a plane may not be an issue in the near future as more airlines allow its passengers to make and receive calls during flights. However, the opposite might also be true when it comes to having your mobile phone switched on during search warrants or incident responses.

Almost all latest mobile phone models now come with Wi-Fi and/or Bluethooth capabilities. These phones are often used by incident responders and digital forensic specialists, who attend search warrants or scenes of crime. Given the fact that it is almost impossible to find a laptop or desktop computer used by suspects without some kind of wireless network device built in or connected to it, the potential for accidental digital contamination should not be underestimated. Your Wi-FI or Bluetooth enabled phone could potentially be detected by the suspect's laptop and later you may find your mobile device network name (or even worse - your own name) logged by the suspect's machine.

Furthermore, Google Sync, SyncJe, the Missing Sync and many other mobile phone applications are capable of wirelessly synchronising iPhone, BlackBerry, Windows Mobile and some Nokia and Ericson standard phones with the base computer. The items that normally got synchronised are contacts, calendars, email account settings, webpage bookmarks, notes, music and photos. Theoretically, depending on set preferences these items may get automatically synced between your mobile device and the suspect's computer "if care is not taken to ensure that the investigator's devices have had their wireless functions disabled prior to approaching a suspect's device..." [Angus M. Marshall]

I am just wondering how many organisations/practitioners have implemented safeguards/policies that are dealing with the issue. I am adding a poll to my blog that will run for a couple of weeks, so please take you time to answer the question.

Does your organisation have a policy mandating wireless devices off during forensic examination?