Throughout the course of investigations, you run into individuals who have all types of technical backgrounds. For times when you have to look at evidence from a more technically savvy user, you may run into virtual machines installed on the machine. Virtual machines are separate instances of an operating system that you can run virtually. The user could have a laptop that’s running a Windows machine on the bare metal. But they could be running a virtual machine that may be running Linux or a different instance of Windows.
Vmware Virtual Machines
When you run into a Vmware Virtual Machines, the process is fairly straightforward. You open up the folder where the virtual machine is located and copy the VMDKfile to a location of your choice on your machine and use Autopsy to add it as a data source. Autopsy will be able to ingest the VMDK and parse out all its data. Straight from Autopsy’s release notes:
However, when you run into a Mac that has Parallels installed (another virtual machine application) we need to do some conversions in order to get in a raw format because Autopsy isn’t able to ingest the Parallels PVM file. Let’s see what it takes to make that conversion below.
Getting Setup for Parallels Virtual Machines
Since this VM is hosted on a Mac, we’re going to do this on a Mac. The first step (after having Homebrew installed) is to install QEMU, which is an open-source hypervisor. Type in “brew install qemu”.
After the package is installed, we can ensure that it’s working properly with a good old help command “qemu-img –help. You should see output similar to what’s below.
Now let’s navigate to where our Parallels virtual machines are located. I have quite a few here but right click on the machine you’re interested in and select “Show Package Contents”.
Once you’ve done that, you’ll be shown the contents within the pvm file.
Now, we’re going to have to right click one more time on the ‘hdd’ file and “Show Package Contents” again. Last time, I promise!
Finally, you will see the following contents. The one we want to focus on is the hds file with the unique identifier.
Final Conversion
Now you want to copy out the .hds file to somewhere convenient so you can continue to work with it. I’ve copied it to my desktop.
Now that we have it on our desktop, we can now use qemu to convert it to a raw image. The command is “qemu-img convert -f parallels “HDS file” -O raw “name of raw file”. Where “HDS file” is the file we previously copied and “name of raw file” is the name of the new raw file we are creating, in this case it’s “Win10Image.raw”.
Now we can take that raw image into Autopsy and load the image. As you can see below, it’s been converted to a raw file and we can now take a look at the forensic image
Conclusion
Our forensic tools are built to handle a lot of data and different data types. But sometimes, there are things we need to adjust or convert in order to get things working properly. Virtual machines are one of those things in which some types have support and others don’t. If you ever run into a Mac with Parallels virtual machines installed, we hope this guide will make it easier to take a look at the data.
This article was written by ArcPoint Forensics and originally appeared on the ArcPoint Blog here: https://www.arcpointforensics.com/news/working-with-virtual-machines
