Hi, just thought I'd share this, since it took me an hour or two of
googling to figure out. I wanted to take a VMWare disk I had for
testing and mount it so that I could get the hibernation file off to
use with Sandman.
If you're on Linux, you can just use vmware-mount.pl to mount the
vmware disk.
If you're on Windows, you can use vmware-mount for that platform:
http://www.vmware.com/pdf/VMwareDiskMount.pdf
If you just want to mount a dd image on OS X, skip to step 3.
Step 1: Get the OS X version of QEMU at http://www.kju-app.org/kju/ ,
which comes with qemu-img, which can convert between VMDK and raw
disk images.
Step 2: Convert the VMDK image to a raw disk image:
azzurra:~ moyix$ /Applications/Q.app/Contents/MacOS/qemu-img convert -
f vmdk WindowsXpProfessional-000001.vmdk ~/xpsp2_img.raw
Step 3: Use the fdisk to determine where the partition you want to
mount starts. In this case I want the NTFS (called HPFS by fdisk)
partition, which fdisk says starts at sector 63.
azzurra:~ moyix$ fdisk ~/xpsp2_img.raw
Disk: /Users/moyix/xpsp2_img.raw geometry: 0/4/63 [0 sectors]
Signature: 0xAA55
Starting Ending
#: id cyl hd sec - cyl hd sec [ start - size]
----------------------------------------------------------
*1: 07 0 1 1 - 1023 254 63 [ 63 - 41913522] HPFS/QNX/AUX
2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
Step 4: Use hdid to attach the image as a block device. It outputs the
device it attaches it to.
azzurra:~ moyix$ hdid -section 63 -nomount -imagekey diskimage-
class=CRawDiskImage ~/xpsp2_img.raw
/dev/disk1
Step 5: Mount the resulting block device with the appropriate
filesystem mounter.
azzurra:~ moyix$ sudo mount_ntfs /dev/disk1 /mnt/ntfs_fs/
Step 6: When you're done, unmount the FS and detach the block device:
azzurra:~ moyix$ sudo umount /mnt/ntfs_fs/
azzurra:~ moyix$ hdiutil detach /dev/disk1
Hope this helps someone,
Brendan
vol-users,
Some of you may have noticed that Matthieu Suiche just released a tool for
converting hiberfil.sys to a physical memory dump.
http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/
We have added support for Sandman generated images of physical memory in
the upcoming Volatility 1.3 release. If you would like to play with it
before then, I have attached a patch for Volatility-1.1.1. If you get a
chance, give it a try. Please let us know, if you have any problems with
the Volatility modules!
cd Volatility-1.1.1
patch -p1 <Volatility-1.1.1.hiber.patch
Thanks,
AW
vol-users,
Once again, Brendan Dolan-Gavitt has another great blog entry. I highly
recommend you adding his blog to your feeds. In this entry, he discusses
extracting registry data from volatile memory. Granted, I'm also a little
biased since it was implemented within Volatility. Brendan is a major
contributor to the Volatility community! Powered by the people.
http://moyix.blogspot.com/2008/02/cell-index-translation.html
Thanks,
AW
Vol-users,
We are getting ready for the next release of Volatility. If you have any
bugs you would like to see fixed, modules you would like to see added,
code you would like to contribute, or general suggestions, please let us
know! There are a number of new and exciting changes in the pipeline.
A special thanks to all those who have already provided feedback either
through email or on IRC.
Thanks,
AW
