Friday, July 13, 2012
Parallels hard drive image converting for analysis
The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives. To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images. The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image. I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html), but I had no access to a Mac and wanted to see if there is a way to do this on Windows. There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it. I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php that looked very promising, but the demo version would not convert an image size larger than 2GB. So, I wanted to look further into other options. This article is about the findings of that “journey”.
Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU.
Qemu-1.0.1-windows.zip - http://lassauge.free.fr/qemu/
One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types. The latest version just added the parallels’ image format support. “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”
Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.
Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )
Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.
Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd
Step 4. Opened the image in FTK Imager to analyze the data
Subscribe to:
Post Comments (Atom)
1 comment:
Very interesting point. Did you had the chance to verify if this work with an original image splitted in 2gb chunks that's a very coomon situation ...
Post a Comment