Forensics for Pen Testers – Part 2

Converting dd image to vmdk for analysis

Setup

Astute readers will notice that the names for the images used in this part are not the same as in Part 1. Good for you, astute reader. I pulled a 16GB Quantum Fireball out of an old desktop that had not spun up in at least two years. When I last booted the system it was a fully functional Windows XP SP3 desktop.

I imaged this drive using the method in Part 1. Verified the image and copied it from the Kali Linux laptop that I dropped the initial image onto to an external USB drive. Why? Because in forensics you NEVER want to work with the initial image. The entire process was about 45 minutes for all three steps. The external drive is USB3 and that definitely made the copy phase faster.

Converting this dd image to a vmdk file and then booting it is obviously going to change the hash. Just booting a Windows system adds multiple entries to the event log which is more than enough for verification to fail. Not to mention that the OS is going to install drivers for all of the new devices that are used by VMWare. In summary, NEVER WORK OFF OF THE INITIAL IMAGE.

Before we get to the actual conversion there is no reason this conversion couldn’t be from dd to VHD or VDI. I have VMWare Workstation installed on my laptop and not VirtualBox or Virtual PC. I have used all of these and can’t say I have strong feelings for any one over the others.

The Good Stuff

Get the qemu utils apt-get install qemu-utils

Next we use the qemu-utils to convert to vmdk qemu-img convert -O cmdk /path/image.dd /path/output.vmdk

Get yourself a drink and stretch your legs. Forensics is a time consuming process. The conversion of this ~16GB dd file to vmdk took about 90 minutes.

The next step was to attach the disk to an existing virtual machine to ensure it would spin up. I happened to have a Windows XP virtual machine that I keep around mostly to run old software. Depending on how you plan on testing this hard drive you can take a snapshot of the drive to allow any changes to be rolled back; I didn’t do this simply because I could always convert the copy of the dd file again if I made some catastrophic change. If you wanted to boot directly into the XP operating system it would probably be necessary to run a repair install off of either a disk or ISO image containing the installation files. The chances that the underlying physical hardware is the same as the virtual hardware are just about zero. That is why VMWare has a physical to virtual converter.

Here is where the pen testing part comes in. I spun the VM up and opened the drive in Windows Explorer to ensure that it worked. Oh look right at the root. The Tax Backup folder. If this wasn’t my own drive I’d probably start there.

What next? Well we have covered acquiring the image and converting it to a virtual disk format. The next article in this series will cover juicy places to look in both the file system and Windows registry. It will probably have a cheat sheet for different operating systems to find data that will help you look good during the report writing phase of penetration testing. You know that phase? The one that everyone hates doing? Might as well look good doing it.