mounting virtual hard drives
DESCRIPTION
TRANSCRIPT
Mounting Virtual Hard Drives
Ronald Godfrey
Virtual Machines
Common in today’s computing environment
Allow the user to run multiple, self contained operating systems on one hardware host machine
The virtual machine utilizes the host machine’s resources (RAM, network interface, etc)
Data can be transferred between the host and the virtual machine
Types of Virtual Machine Software
Microsoft Virtual PC – typically has a “*.vhd” hard drive extension
Microsoft XP Mode - typically has a “*.vhd” hard drive extension
Oracle Virtualbox - typically has a “*.vdi” hard drive extension
VMWare - typically has a “*.vhd” or “vmdk” hard drive extension
Types of Virtual Machine Software
Virtual hard drive files are typically large in size.
Usually two files are associated with the virtual machine Virtual hard drive file – contains the O/S
and data Virtual machine settings file – provides
the virtual machine’s configuration settings when used on the host machine
Types of Virtual Machine Software
FTK Imager 3.0
FTK Imager 3.0 and newer versions have the ability to mount forensic images and virtual hard drives.
Images can be mounted as mapped drives on the computer
Physical virtual hard drives and their logical partitions can be mounted.
Mounted by using the “File\Image Mounting” within FTK Imager
FTK Imager 3.0
Images can be mounted as “read only”
Converting the Virtual Hard Drive
If you mount the virtual hard drive and you see the “unrecognized file system”, use Virtualbox’s internal commands to convert the hard drive to a raw format.
Convert to RAW Command Extract the “vdi” file from the forensic image to a
location on your hard drive: Open a command prompt window and navigate to the
VirtualBox folder (typically c:\Program Files\Oracle\VirtualBox). Run the following command against the “vdi” file you wish to
convert (no quotes in the command line): vboxmanage.exe internalcommands converttoraw "x\
path-to-vdi-file\vdifilename.vdi" "x:\path-to-output-folder\vdifilename.raw“
Conversion time will vary depending on the size of the “VDI file. It is recommended you have twice the amount of drive space available as is the size of the “vdi” file since you are converting to an uncompressed “raw” format.
Converted File
Virtual hard drive shows up as a physical drive on the system. The drive can then be imaged again and compared via hashing to ensure everything was captured.