Taking the time to look at a computer in a live manner will allow you to discover things that may not be discovered by looking at an image of a dead box. One way to do this, would be clone the original drive and place it back into the computer. Another, would be to convert your forensic image into a virtual hard disk and then run it in a Virtual Machine (VM). But did you know that you can go straight from a write blocked drive to a VM?
In the past, I have cloned or restored drives to be placed into the suspect’s computer for booting. Refer to our article here on how to do this in Linux. I have also converted forensic images to virtual hard disks, on the fly, to be booted into VM’s. Refer to John Leer’s article here on how to do this in Linux. But when I saw Jimmy Weg creating a VM straight from a write blocked drive, I thought it was one of the coolest tricks in forensics. Jimmy wrote an excellent article on how to accomplish this in Windows. Refer to the article here. Lucky for us, going from a write blocked drive to a VM can also be accomplished in Linux.
In this article we are going to go through the steps of converting a write blocked drive into a VM. We will accomplish this using only free tools in Linux. For the purposes of this article I used an examination computer with Ubuntu 12.10 installed on it. Let’s get started.
Installing the tools:
The tools that we will need to accomplish this task are xmount and virtualbox. Xmount can be downloaded from the Ubuntu Software Center. Let’s head over to the Ubuntu Software Center first. Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “xmount” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install.
Virtualbox can be downloaded from this link https://www.virtualbox.org/wiki/Downloads. Once you have both xmount and virtualbox installed, we can move on to the next step.
It is now time to begin the examination. To illustrate the steps of converting a write blocked drive to a VM, I will be using a 250GB, 2.5 inch SATA drive that contains a clean non-corrupt version of a Windows 7 operating system. I connected the hard drive to a previously validated Wiebetech V4, hardware write-blocker and then connected the write-blocker to my examination computer via USB 2.0.
Now, open a Terminal window and type the following into the terminal to determine which block letter device Ubuntu assigned to the write-blocked drive.
sudo fdisk -l
Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition table. Sudo gives fdisk superuser privileges for the operations. Press enter and type your root password (if needed).
Ubuntu assigned the write-blocked drive as SDC. SDC is the entire raw block device that makes up the entire physical disk. SDC1 is the system partition created by Windows 7 during installation, and SDC2 is the Windows 7 partition.
Now that you know the block number assigned to your drive, let’s convert it to a VDI, on the fly. To accomplish this, we will use the tool xmount. Xmount allows you to convert on-the-fly between multiple input and output hard disk image types. In other words, Xmount can take an E01 and convert it to a raw image (DD), all while maintaining the integrity of the data.
Xmount can also turn a DD or an E01 into a VDI (Virtual Box Disk), and redirect writes to a cache file. This makes it for example, possible to use Virtual Box to boot an Operating System contained in a read-only DD or E01 image.
For us to pull off the trick of booting a write-blocked drive into a VM, we are going to tell xmount to convert block SDC to a VDI, by fooling xmount into thinking that it is a DD, rather an actual write-blocked drive. Devious plan right, I know. Enter devious laughter!!!
This works, because block SDC and a raw DD are both seen in Linux as the same, one big block of… data. Let’s move on. Enter the following into the terminal.
sudo xmount –in dd –out vdi –cache /mnt/cache/sdc.cache /dev/sdc /mnt/vdi/
Xmount is the command to crossmount, –in dd lets xmount know that we are passing it a DD as an input file, –out vdi tells xmount to convert the “DD” to a VDI, –cache /mnt/cache/sdc.cache is the name of the cache file that will store all of the writes being written by the operating system, /dev/sdc is the write-blocked hard drive seen as a block device, and /mnt/vdi is my previously created mount point. Sudo gives xmount superuser privileges for the operations.
If you got your cursor back without errors, then everything went well.
Now launch virtualbox and create your VM, using the vdi from xmount as your existing virtual hard disk. Mine is still located under /mnt/vdi/sdc.vdi.
When complete, press the start button and fire it up.
The virtual machine of your write-blocked drive should now be up and running, all while saving writes to cache file and not back to your drive. If you encounter a password protected profile, crack the syskey and the sam hive using our procedure here. Any changes you make will be stored on the cache file and will be available to you even after reboots. The more memory and processors that you can give your VM, the snappier than it is going to be.
And there you have it.
This is a quick and dirty way to see your suspect’s computer in a live manner, all while preserving the integrity of the data.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org. Twitter: Carlos_Cajigas