| Author | Message | ||
     Mark Metz Username: itmetz Registered: N/A |
I have created an image file of the recovered server files. I believe I need to do a VMware install and then repair the boot partition. The image is 373GB and I'm not sure what to do next. Can someone walk me through restoring this server? Thank You! | ||
| René Axnix Username: reax Registered: N/A |
if you have the .vmdk-files you can install the free vmware-server software. in your case i would install the vmware diskmount utility too and the diskmount-gui (if the filesystem was fat(12/16/32) or ntfs). with the diskmount-gui (vmxbuilder.com) you can mount (even as write-protected) the filesystem and image or investigate it directly like a normal harddisk. don't forget the vmware-tools. the other way is to create an own virtual machine with windows xp including x-ways winhex/forensics. after that you can add your virtual harddisk. | ||
| W. Spiegl Username: ws Registered: N/A |
vmware:Don't forget to run live view 0.7b before. http://liveview.sourceforge.net/ - this makes it easier as it replaces a lot of drivers which do not work well on your virtual machine. @Rene: High, also online? | ||
| Mark Metz Username: itmetz Registered: N/A |
Thanks for the response! I have installed VMWare server and have Winhex installed but I can't figure out how to get at the vmdk's from the winhex image "Drive D.whx" | ||
| W. Spiegl Username: ws Registered: N/A |
> I have created an image file of the recovered server files. Means what exact? You created an image of the whole harddrive? (are all server files still existing?) Or did you recover single files of a server and make an image out of them? Or what else? What happened with the boot partition? | ||
| Mark Metz Username: itmetz Registered: N/A |
The server had 6 hard drives and an image file was created of the whole volume. I was given a .IMG file and I created the WInhex image (.whx) from it. I do not have access to the drives. I am trying to restore one of the 4 VM's. I thought winhex might help me pull the vmdk's out of the image file? I was told to do a vmware install and then repair the boot partition overwriting the image file. I'm just not sure how to do it. Am I making this more complicated than it has to be? Thanks! | ||
| Brett Shavers Username: bshavers Registered: N/A |
Here is some information for you: http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf You can either extract the vm files with WinHex to restore or you can mount the image, use FTK Imager, and image the vm directly from the image (and boot that image). The steps are written on the vm paper above on how to do this. | ||
| Mark Metz Username: itmetz Registered: N/A |
Brett, Nice Document...good stuff! I'm not sure how to extract the vm files with winhex? How to I determine which files I will need? FTK Imager will take a long time to get...is it worth it? | ||
| Brett Shavers Username: bshavers Registered: N/A |
You can extract all the vm files (should be under one folder-My Virtual Machines or wherever they were placed). A better method would be to; 1) Mount your image as a physical or logical drive. 2) Use FTK Imager to image the vm to a separate image (point FTK Imager at the appropriate vm file (described in the prior writeup I referenced) 3) Use XWF or any forensic application to examine your new image of the vm as if it were an image of a physical hard drive. When you add the vm as evidence with FTK, you will be able to see the folder structure of the vm and can create the image as if FTK Imager were looking at a physical drive (no differences in the procedure). | ||
| Jimmy Weg Username: jw Registered: 7-2006 |
You also should be mindful of snapshots when you examine VMs. I've found that FTK Imager is inconsistent in its ability to mount them. On the other hand, I've very good luck with the VMware-Mount utility that comes with the Virtual Disk Development Kit, which also is free, at http://www.vmware.com/support/developer/vddk/. It's read-write, however. Depending on the case, you may be able to run the VMs and go to the variuos snapshots within the application. |