The
process of converting a full physical acquisition of a hard disk into a fully
functioning virtual machine (VM) has been covered many times. Probably, because interacting with a machine
the same way that your suspect did just prior to the machine being seized, is a
technique that in my opinion although underused is still very valuable. There are things that can be learned about
the habits of your suspect that may only be discovered by taking the time to look
at your seized data in a live manner.
To
accomplish this, one tool that I still hear people talking about on the Windows
side is LiveView. At the time that I
tried using it, the tool required that a raw image of the disk be used. This meant taking the time to convert your
E01 to a raw image, which took time and wasted space.
Alternatives
to LiveView, are discussed in great detail by Jimmy Weg, on his blog
justaskweg.com. Jimmy even wrote an
article on going from a write blocked drive to a VM, which I found very useful.
Lucky
for us, going from a write blocked drive to a VM can also be accomplished in
Linux, and is something that I have discussed and covered previously.
In this article, I want to talk about booting a disk image of a Windows 10 machine. For the purposes of this article I used a live Linux distribution of LosBuntu. LosBuntu is our own Ubuntu 14.04 distribution that can be downloaded here.
The
Plan:
The
plan is to use a live version of LosBuntu and boot your machine from it. Whether you boot LosBuntu from a DVD or a
flash-drive, the process should be the same.
Select a machine that is powerful and has plenty of ram. Aside from the fact that LosBuntu already has
xmount installed on it, another benefit to using a live distribution is to
accomplish complete segregation. Any
malware that you catch or any action that you wished reversed can be dealt with
by simply shutting down the machine.
Installing
the Tools:
The
tools that we will be using during the process are xmount and VMware
Workstation Player 12 (VMware).
Xmount comes preinstalled in the
Live version of LosBuntu, but if you choose to install it yourself, find it
here https://pinguin.lu/pkgserver. VMware can be downloaded free here.
To
install VMware, issue the below command.
When prompted, enter the root password, which is “mtk” without the
quotes.
$
sudo bash VMware-Player-12.0.1-3160714.x86_64.bundle
Use
the VMware installer graphical user interface to complete the installation.
The
Test:
To
illustrate the steps of converting a disk image of a Windows 10 machine to a
VM, I will be using a previously acquired disk image of a Windows 10 operating
system from a 512GB SSD that I use for testing.
The
acquisition of the disk was done using the E01 format with best compression and
4000mb chunks. The image compressed
down to about 33GB spanned into 8 different segments. Due to the compression, the disk image is
only occupying 33GB worth of space, rather than 512GB had we used the RAW format
during acquisition. That is a lot of
saved space, thanks to the compression! Great.
Let
us now turn our attention to the point of the write up, converting this E01 to
a virtual machine. To accomplish this
feat, we are going to summon the powers of xmount. Xmount is a very powerful tool written by Dan
Gillen. The tool that has the ability to
convert on-the-fly between multiple input and output hard disk image
types. In other words, xmount can take
our E01 image and convert it to a raw image (DD), on-the-fly, all while maintaining
the integrity of the data.
Xmount
can also turn a DD or an E01 into a VMDK (VMware virtual disk), and redirect
writes to a cache file. This makes it
for example, possible to use VMware to boot an Operating System contained in a
read-only DD or E01 image.
For
us to pull off the trick of turning an E01 into a VM, we are going to pass
xmount the following instructions. Enter
this command into the terminal:
$
sudo xmount --in ewf Win10.E?? --out vmdk --cache /mnt/cache/win10.cache
/mnt/vmdk/
Xmount
is the command to crossmount, --in ewf lets xmount know that we are passing it
an image using the E01 format, Win10.E?? is the E01 image. In this example we have more than one segment
so we must use “E??” as the file extension, to specify the segment files. --out vmdk tells xmount to convert the E01 to
a VMDK, --cache /mnt/cache/win10.cache is the name of the cache file that will
store all of the writes being written by the operating system, and /mnt/vmdk/
is a previously created mount point for the vmdk file. Sudo gives xmount superuser privileges for
the operations.
If
you received your prompt back without any errors, then it may be safe to assume
that you issued the correct command. At
this point, you now have the E01 converted to a vmdk, that is ready to be
opened in VMware.
Now,
fire up VMware and go through the process of creating a Windows 10 VM. This write up assumes that you know the
process, so we will not bore you with steps of how to set up a VM. If needed, a web search on the topic will
reveal multiple articles on accomplishing that specific task.
As
you go through the process of creating your Windows 10 VM, I would recommend
that you give the VM 4GB of ram and 2 cores.
I would also recommend that you un-check the box labeled “connect at
power on” for your network adapter.
This is your call, but I choose not to allow suspect machines to connect
to the internet.
Finish,
setting up your machine and get back to the home screen
We
are almost ready to fire up the machine.
But before we do that we have to do some final tweaks. An important one is adding the vmdk file to
the virtual machine. Click on “edit the
virtual machine settings” and remove the disk assigned to the VM.
Add
the vmdk file that we previously mounted to /mnt/vmdk/
Lastly,
we need to edit the vmx configuration file so that VMware knows that it needs
to get ready to handle an image containing GPT/UEFI settings. This is a very important step. If you omit this step, you will likely get a
“no operating system found” error. Open
the vmx file with your favorite text editor and add a line at the bottom of the
file that reads firmware = “efi”
Once
this is done, go back to Vmware and start your VM.
If everything went according to plan, you
should now have a fully functioning VM, revealing all of the settings and
unique configurations issued by your suspect to his/her machine. Feel free to navigate to your hearts
content. Any edits that you make will be
written to the cache file and will survive reboots. If you need to edit the registry, go ahead,
the cache file will save the edits. Feel
free to take screen-shots or do anything that you need without having to worry
about changing the integrity of the image.
No changes will be made to the image as E01's are read-only files. When you are done with the machine, shut it
down. If you used LosBuntu as a live
distribution, then the OS on your internal drive will also be untouched.
And
there you have it.
Conclusion:
This
is a completely free and quick way to see your suspect's system in a live
manner, all while preserving the integrity of your data. If this procedure helped your investigation,
we would like to hear from you. You can
leave a comment or reach me on twitter: @carlos_cajigas
Well done Los!
ReplyDeleteThanks, hope that you find it useful.
DeleteBrilliant! Thanks Carlos
ReplyDeleteThanks for the read!
Delete