Data Recovery, File Systems, Forensics 101

Parallels hard drive image converting for analysis

Abstract

The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives.  To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images.  The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image.  I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html), but I had no access to a Mac and wanted to see if there is a way to do this on Windows.  There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it.  I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php that looked very promising, but the demo version would not convert an image size larger than 2GB.  So, I wanted to look further into other options.  This article is about the findings of that “journey”.

Results

Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU.

Qemu-1.0.1-windows.zip - http://lassauge.free.fr/qemu/

One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types.  The latest version just added the parallels’ image format support.  “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”

Example

Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.
Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )

Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.

Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd

Step 4. Opened the image in FTK Imager to analyze the data

Parallels converted hard drive image in FTK Imager

Step 5. Notes: If the hard drive image is split into 2GB chunks, then you can use the Parallels’ command line tool to merge the images before converting or use the GUI to edit the hard drive image.

prl_disk_tool convert –hdd <disk_path> [--plain|expanding] [--split|--merge]

he same task Parallel allows you to split or merge the virtual hard drive as you edit the properties of the drive. This is much easier to use then CLI.

I will test other uses of this simple tool or if you know other ways to accomplish the same task, please share.

About zoltanszabodfw

I feel passionate about teaching those who want to learn and not afraid of the IT field and its constant learning challenges. I've been known to break down and simplify complex problems to layman's terms and to help develop a long term method for learning to keep up with the rapidly changing technology. I prefer teaching face-to-face vs. on-line since I need the constant feedback and student interaction to keep exploring better and more helpful methods of instruction. My classes are heavily hands-on and lab based courses. They feel like a separate full-time job since no one class starts and ends the same way and troubleshooting / problem solving is an everyday process that shows students above and beyond what to expect in the workplace after they graduate.

Discussion

One thought on “Parallels hard drive image converting for analysis

  1. As far as I am informed, you can mount vmdk and some other virtual file formats right away in X-Ways Forensics… Maybe give it a try or have a look at the release notes… Nice article though! Last but not least, you always have the opportunity to boot the system from a working copy and image the data using the live system…

    Posted by 4rensiker | July 5, 2012, 5:54 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 654 other followers

%d bloggers like this: