Jump to content











Photo
- - - - -

For VMware users only

Started by was_jaclaz , Jan 16 2007 05:43 PM

  • Please log in to reply
2 replies to this topic

#1 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7101 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 16 January 2007 - 05:43 PM

Here:
http://sourceforge.n...ojects/liveview

LiveView is a forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image. This allows an examiner to "boot up" the image and gain an interactive, user-level perspective of the environment, all without modifying the image.


jaclaz

#2 TheHive

TheHive

    Platinum Member

  • .script developer
  • 4201 posts

Posted 16 January 2007 - 07:03 PM

Whats a "a raw (dd-style) disk image"?

#3 sanbarrow

sanbarrow

    Silver Member

  • Developer
  • 788 posts
  • Location:Germany - Sauerland

Posted 16 January 2007 - 09:31 PM

Whats a "a raw (dd-style) disk image"?


LifeView can work with 2 kinds of VMware-type images:

a raw-disk - this is just a description of a physical disk - see this example:

# Disk DescriptorFile
version=1
CID=13f70cd7
parentCID=ffffffff
createType="partitionedDevice"

# Extent description
RW 63 FLAT "raw-pt.vmdk" 0
RW 24579387 FLAT "\\.\PhysicalDrive0" 63
RW 131716935 ZERO
RW 5103 ZERO

# The Disk Data Base
#DDB

ddb.virtualHWVersion = "4"
ddb.geometry.cylinders = "16383"
ddb.geometry.heads = "16"
ddb.geometry.sectors = "63"
ddb.geometry.biosCylinders = "1024"
ddb.geometry.biosHeads = "255"
ddb.geometry.biosSectors = "63"
ddb.adapterType = "ide"


A raw-disk is a 1kb file used to access PhysicalDrive0 like in this case.

MonolithicFlat - this is something like a dd-image with an aditional descriptorfile. DD-images can be created with any Knoppix-CD for example ...
They are a sector-based full uncompressed image of a disk (or a partition only)
You can convert an existing dd-image into a monolithicFlat VMware-disk by adding this small description.


LifeView uses a bug in VMware.
Following all common-sense VMware prohibits creating snapshots of raw-disks (physical disks) via the GUI-interface. In normal use this is very,very dangerous and considered as mad.
Now VMware Workstation uses a command-line tool named vmrun.exe to start and stop virtual machines per script.
One of this function is "add snapshot to disk X"
Now vmrun doesn't refuse snapshots on raw-disks so LifeView uses this to create a snapshot.

As soon as you have a snapshot you can investigate the existing disk without changing it as all changes go into a REDOlog instead.

I talked to the lifeview guys if they were interested to do this from a LiveCD as I have done similar stunts several times before - with my VMware-workstation on BartPE.

I guess it sounded to crazy for those forensic specialists :P

There is one function I like in LifeView - they can add this VMware-style descriptorfile to a dd-image automatically useing a bloated Java-trick.
I'd like to adopt this trick if it wasn't so bloated.
Jaclaz - I'm sure you could extract the necessary info with dsfo from the MBR of the dd-image.

Summary: Lifeview is an interesting approach - but rather half-hearted.
They do it to be able to faster investigate a tampered box - but they still have to create an image in the first place.
This is not even necessary if you do this from a LiveCD

Just my 2 cents ....

Ulli

(forgot one thing - they also patch IDE-disk images so that they can as an IDE-based virtual machine - by the way - this is just one of the functions I have in that moapatchman-stuff)
http://www.911cd.net...showtopic=19091
Back to Websites


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. reboot.pro
  2. Groups
  3. Community forum
  4. Websites
  5. Privacy Policy
  6. Site policies ·