July 13th, 2012 
The other day, talking to one of the analysts in Dallas, a question
emerged about analyzing Parallels’ virtual machine hard drives. To my
surprise, I did not find many help on this issue on-line and did not
find tools that would interpret the file system in Parallels’ hard drive
images. The simplest way I wanted to approach this issue is by
converting the hard drive image to something simpler like a dd image. I
found a very nice article on how to convert to a plain hard drive image
using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html),
but I had no access to a Mac and wanted to see if there is a way to do
this on Windows. There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it. I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php
that looked very promising, but the demo version would not convert an
image size larger than 2GB. So, I wanted to look further into other
options. This article is about the findings of that “journey”.
Parallels Workstation comes with a few command line tools for basic
drive manipulation like prl_disk_tool or prl_conver, but the best
converter, I found, is the latest Open Source project QEMU.
Qemu-1.0.1-windows.zip - http://lassauge.free.fr/qemu/
One of the utilities in QEMU is qemu-img where the help file reveals
the value of this simple utility, when it comes to converting image
types. The latest version just added the parallels’ image format
support. “Supported formats: blkdebug
blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device
file raw sheepdog vdi vmdk vpc vvfat”
Step 1. I have downloaded Parallels Workstation trail version to
create a virtual machine for testing and to make sure my findings will
be applicable to the latest version of Parallels.
Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )
Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.
Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O
raw “Windows Server
2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds”
f:tempotput.dd
Step 4. Opened the image in FTK Imager to analyze the data
View full post on Forensic Focus Blog
http://www.GregoryDEvans.com, http://www.Locatepc.net, http://stolencomputeralert.com, http://computersecurityexpert.net, http://www.hackerforhireusa.com, http://www.GregoryDEvans.net, AmIHackerProof.com, http://ParentSecurityOnline.com, http://TheCyberWars.com, http://hiphopsecurity.com, http://HackerForHireinternational.com, http://www.computersecurityguru.com, http://computer-security-expert.com
Posted in 
Tags: 
