reflections

reflections

About the Blog

This Blog is about different Computer Forensic methodologies. Please, think of it as a suggestion. Test your own Tools and do not believe everything you get told. Things may change and bugs are everywhere ;-)

@my4n6

Mounting .vhdx Images with qemu-nbd

Imaging and MountingPosted by @my4n6 Wed, January 24, 2018 17:22:44

Image mounting in a forensic manner. Using qemu-nbd to mount special image

formats.

Checking the MD5sum of the image:

root@VM-CAINE:~# md5sum IMAGE.vhdx

958e7939cf7ce1e51e4bcbac81f9b5b6 IMAGE.vhdx

What kind of image is it?

root@VM-CAINE:~# file IMAGE.vhdx

IMAGE.vhdx: data

root@VM-CAINE:~# qemu-img info IMAGE.vhdx

image: IMAGE.vhdx

file format: vhdx

virtual size: 1.0G (1073741824 bytes)

disk size: 100M

cluster_size: 33554432

Load the nbd kernel module to work with qemu-nbd:

root@VM-CAINE:~# modprobe nbd max_nbds=10 max_part=10

Map the whole image to /dev/nbd0 (readonly):

root@VM-CAINE:~# qemu-nbd --connect=/dev/nbd0 --read-only IMAGE.vhdx

Partition- and File System checking with the sleuthkit:

root@VM-CAINE:~# mmls /dev/nbd0

DOS Partition Table

Offset Sector: 0

Units are in 512-byte sectors

Slot Start End Length Description

000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)

001: ------- 0000000000 0000000127 0000000128 Unallocated

002: 000:000 0000000128 0002091135 0002091008 NTFS / exFAT (0x07)

003: ------- 0002091136 0002097151 0000006016 Unallocated

root@VM-CAINE:~# fsstat -o 128 /dev/nbd0 | head -n 5

FILE SYSTEM INFORMATION

--------------------------------------------

File System Type: NTFS

Volume Serial Number: D6DC0DD6DC0DB233

OEM Name: NTFS

root@VM-CAINE:~# fls -o 128 /dev/nbd0

r/r 4-128-4: $AttrDef

r/r 8-128-2: $BadClus

r/r 8-128-1: $BadClus:$Bad

r/r 6-128-4: $Bitmap

r/r 7-128-1: $Boot

d/d 11-144-4: $Extend

r/r 2-128-1: $LogFile

r/r 0-128-6: $MFT

r/r 1-128-1: $MFTMirr

d/d 40-144-1: $RECYCLE.BIN

r/r 9-128-8: $Secure:$SDS

r/r 9-144-11: $Secure:$SDH

r/r 9-144-14: $Secure:$SII

r/r 10-128-1: $UpCase

r/r 10-128-4: $UpCase:$Info

r/r 3-128-3: $Volume

r/r 39-128-1: linuxintro-LEFE-4.31.pdf

d/d 36-144-1: System Volume Information

V/V 256: $OrphanFiles

Mapping the Partitions using kpartx (readonly):

root@VM-CAINE:~# kpartx -r -a /dev/nbd0

root@VM-CAINE:~# ls /dev/mapper/

control nbd0p1

Or using qemu-nbd to map the first partition (readonly):

root@VM-CAINE:~# qemu-nbd --connect=/dev/nbd1 -P 1 --read-only IMAGE.vhdx

Mounting the NTFS-File System, different ways:

root@VM-CAINE:~# mount.ntfs -o ro,allow_other /dev/mapper/nbd0p1 /mnt/NTFS/

root@VM-CAINE:~# ls /mnt/NTFS/

linuxintro-LEFE-4.31.pdf $RECYCLE.BIN System Volume Information

root@VM-CAINE:~# umount /mnt/NTFS

root@VM-CAINE:~# mount.ntfs -o ro,show_sys_files,streams_interface=xattr,allow_other /dev/mapper/nbd0p1 /mnt/NTFS/

root@VM-CAINE:~# ls /mnt/NTFS/

$AttrDef $Bitmap $Extend $LogFile $RECYCLE.BIN System Volume Information $Volume

$BadClus $Boot linuxintro-LEFE-4.31.pdf $MFTMirr $Secure $UpCase

root@VM-CAINE:~# umount /mnt/NTFS

Unmap and detach the disk image from the system:

root@VM-CAINE:~# kpartx -d /dev/nbd0

root@VM-CAINE:~# qemu-nbd -d /dev/nbd0

/dev/nbd0 disconnected

Final check of the md5sum. Everything OK!

root@VM-CAINE:~# md5sum IMAGE.vhdx

958e7939cf7ce1e51e4bcbac81f9b5b6 IMAGE.vhdx