Abstract
The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives. To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images. The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image. I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html), but I had no access to a Mac and wanted to see if there is a way to do this on Windows. There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it. I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php that looked very promising, but the demo version would not convert an image size larger than 2GB. So, I wanted to look further into other options. This article is about the findings of that “journey”.
Results
Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU.
Qemu-1.0.1-windows.zip – http://lassauge.free.fr/qemu/
One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types. The latest version just added the parallels’ image format support. “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”
Example
Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.
Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )
Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.
Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd
Step 4. Opened the image in FTK Imager to analyze the data
Step 5. Notes: If the hard drive image is split into 2GB chunks, then you can use the Parallels’ command line tool to merge the images before converting or use the GUI to edit the hard drive image.
prl_disk_tool convert –hdd <disk_path
> [–plain|expanding] [–split|–merge]
I will test other uses of this simple tool or if you know other ways to accomplish the same task, please share.
As far as I am informed, you can mount vmdk and some other virtual file formats right away in X-Ways Forensics… Maybe give it a try or have a look at the release notes… Nice article though! Last but not least, you always have the opportunity to boot the system from a working copy and image the data using the live system…