Mounting virtual hard drives
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
13,864
On Slideshare
3,975
From Embeds
9,889
Number of Embeds
11

Actions

Shares
Downloads
31
Comments
0
Likes
0

Embeds 9,889

http://www.ctin.org 9,851
http://thectin.ning.com 12
http://translate.googleusercontent.com 11
https://www.ctin.org 4
http://131.253.14.66 3
http://131.253.14.98 2
http://translate.yandex.net 2
http://cc.bingj.com 1
http://www.polysolve.com 1
http://admin.totalmarketing.com 1
https://twitter.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Ronald Godfrey
  • 2.  Common in today’s computing environment Allow the user to run multiple, self contained operating systems on one hardware host machine The virtual machine utilizes the host machine’s resources (RAM, network interface, etc) Data can be transferred between the host and the virtual machine
  • 3.  Microsoft Virtual PC – typically has a “*.vhd” hard drive extension Microsoft XP Mode - typically has a “*.vhd” hard drive extension Oracle Virtualbox - typically has a “*.vdi” hard drive extension VMWare - typically has a “*.vhd” or “vmdk” hard drive extension
  • 4.  Virtual hard drive files are typically large in size. Usually two files are associated with the virtual machine  Virtual hard drive file – contains the O/S and data  Virtual machine settings file – provides the virtual machine’s configuration settings when used on the host machine
  • 5.  FTK Imager 3.0 and newer versions have the ability to mount forensic images and virtual hard drives. Images can be mounted as mapped drives on the computer Physical virtual hard drives and their logical partitions can be mounted. Mounted by using the “FileImage Mounting” within FTK Imager
  • 6.  Images can be mounted as “read only”
  • 7.  If you mount the virtual hard drive and you see the “unrecognized file system”, use Virtualbox’s internal commands to convert the hard drive to a raw format.
  • 8.  Extract the “vdi” file from the forensic image to a location on your hard drive:  Open a command prompt window and navigate to the VirtualBox folder (typically c:Program FilesOracleVirtualBox).  Run the following command against the “vdi” file you wish to convert (no quotes in the command line): vboxmanage.exe internalcommands converttoraw "xpath-to- vdi-filevdifilename.vdi" "x:path-to-output- foldervdifilename.raw“ Conversion time will vary depending on the size of the “VDI file. It is recommended you have twice the amount of drive space available as is the size of the “vdi” file since you are converting to an uncompressed “raw” format.
  • 9. Virtual hard driveshows up as aphysical drive onthe system. Thedrive can then beimaged again andcompared viahashing to ensureeverything wascaptured.