Ronald Godfrey
   Common in today’s computing environment   Allow the user to run multiple, self contained    operating systems on one ...
   Microsoft Virtual PC – typically has a “*.vhd” hard    drive extension   Microsoft XP Mode - typically has a “*.vhd” ...
   Virtual hard drive files are typically large in    size.   Usually two files are associated with the    virtual machi...
   FTK Imager 3.0 and newer versions have the    ability to mount forensic images and virtual    hard drives.   Images c...
   Images can be mounted as “read only”
   If you mount the virtual hard drive and you    see the “unrecognized file system”, use    Virtualbox’s internal comman...
   Extract the “vdi” file from the forensic image to a location    on your hard drive:     Open a command prompt window ...
Virtual hard driveshows up as aphysical drive onthe system. Thedrive can then beimaged again andcompared viahashing to ens...
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Mounting virtual hard drives
Upcoming SlideShare
Loading in …5
×

Mounting virtual hard drives

24,122 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
24,122
On SlideShare
0
From Embeds
0
Number of Embeds
13,910
Actions
Shares
0
Downloads
60
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mounting virtual hard drives

  1. 1. Ronald Godfrey
  2. 2.  Common in today’s computing environment Allow the user to run multiple, self contained operating systems on one hardware host machine The virtual machine utilizes the host machine’s resources (RAM, network interface, etc) Data can be transferred between the host and the virtual machine
  3. 3.  Microsoft Virtual PC – typically has a “*.vhd” hard drive extension Microsoft XP Mode - typically has a “*.vhd” hard drive extension Oracle Virtualbox - typically has a “*.vdi” hard drive extension VMWare - typically has a “*.vhd” or “vmdk” hard drive extension
  4. 4.  Virtual hard drive files are typically large in size. Usually two files are associated with the virtual machine  Virtual hard drive file – contains the O/S and data  Virtual machine settings file – provides the virtual machine’s configuration settings when used on the host machine
  5. 5.  FTK Imager 3.0 and newer versions have the ability to mount forensic images and virtual hard drives. Images can be mounted as mapped drives on the computer Physical virtual hard drives and their logical partitions can be mounted. Mounted by using the “FileImage Mounting” within FTK Imager
  6. 6.  Images can be mounted as “read only”
  7. 7.  If you mount the virtual hard drive and you see the “unrecognized file system”, use Virtualbox’s internal commands to convert the hard drive to a raw format.
  8. 8.  Extract the “vdi” file from the forensic image to a location on your hard drive:  Open a command prompt window and navigate to the VirtualBox folder (typically c:Program FilesOracleVirtualBox).  Run the following command against the “vdi” file you wish to convert (no quotes in the command line): vboxmanage.exe internalcommands converttoraw "xpath-to- vdi-filevdifilename.vdi" "x:path-to-output- foldervdifilename.raw“ Conversion time will vary depending on the size of the “VDI file. It is recommended you have twice the amount of drive space available as is the size of the “vdi” file since you are converting to an uncompressed “raw” format.
  9. 9. Virtual hard driveshows up as aphysical drive onthe system. Thedrive can then beimaged again andcompared viahashing to ensureeverything wascaptured.

×