E-Discovery , File Systems , Methodology , Software , Uncategorized , Windows Forensics

Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

by Nanni Bassetti

If we need to virtualize a disk image file, we can:

  1. Convert the image file in VDI/VMDK
  2. Use GNU/Linux and XMount

The first point is very space and time consuming, indeed if we have a disk image of 1Tb in size, we need another 1Tb to store the VDI/VMDK virtual disk for feeding our Virtual Machine and the conversion process is time wasting.

In GNU/Linux we can use XMount  which is very comfortable because we don’t need to convert the image file in Virtual Disk file format, it “ allows you to convert on-the-fly between multiple input and output harddisk image types. Xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image.

In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.

If we are working in MS Windows, we don’t have a corresponding tool, so I decided to study a method to do it.

The steps are these:

  1. We need to have a Physical disk in Windows, starting from a disk image file.
  2. We need the virtual write access redirected to an external cache file, for not changing the image file.
  3. We need a special command for creating a virtual representation of the input image for an on-the-fly conversion.

All those points can be reached by manually running some tools and commands:

  1. We have to run VirtualBox to create a VM with no disk.
  2. We need to run Arsenal Image Mounter , because it can mount an image file as a real Physical disk in Windows and it can mount in write mode saving the changes in an external cache file.
  3. We need to put offline the mounted disk for avoiding the write attempts, those fail during the boot of the V.M..
  4. We need the VBoxManage command to create the VMDK file on-the-fly.

All those steps can be done manually launching tools and writing commands, but I know that people are bored doing it that way, so I made a GUI using Lazarus to automate it.

Imm2Virtual

Pressing the first button we can create an empty V.M. and we name it (e.g. testvm).Pressing the second button we run Arsenal Image Mounter and we have to mount in this way:

Then we have to put OFFLINE the image disk just mounted, using the Windows command DISKPART

Type LIST DISK, see the disk number of your mounted disk image file (e.g. number 2) and then write SELECT DISK number (e.g. SELECT DISK 2). Now put the disk offline by typing OFFLINE DISK.

And now let’s create the virtual VMDK disk, this is the manual procedure, but Imm2Virtual can do it for you simply writing the disk name you chose and the physical disk number.

‘”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” internalcommands createrawvmdk -filename ‘ ‘”C:\Users\USER_NAME\VirtualBox VMs\DISK_NAME\DISK_NAME.vmdk” -rawdisk \\.\PhysicalDriveX’

where

USER_NAMEis your user name, Windows account.
DISK_NAMEis the name you chose for your virtual machine.
PhysicalDriveXis the Physical Drive where Arsenal Image Mounter has mounted your disk image file. (e.g. PhysicalDrive2).

Finally we can add our new brand VMDK disk to our Virtual Machine and run it!

Imm2Virtual is an Open Source program.  https://github.com/nannib/Imm2Virtual 

Author
Nanni Bassetti – http://www.nannibassetti.com
Digital Forensics consultant

Discussion

One thought on “ Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

  1. Nice use of the “discardable writes” with Arsenal Image Mounter.

    Most probably the vboxmanage is unneeded, it should just create a .vmdk descriptor file pointing to the physicaldrive, similar to what has been discussed here: https://www.forensicfocus.com/Forums/viewtopic/t=15861/

    Only of the type “fulldevice”: http://sanbarrow.com/vmdk/disktypes.html#fullDevice

    Posted by Jacopo Lazzari | October 9, 2017, 7:34 pm

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out  /  Change  )

Google+ photo

You are commenting using your Google+ account. Log Out  /  Change  )

Connecting to %s

Build a Mobile Site
View Site in Mobile | Classic
Share by: