Parallels hard drive image converting for analysis

Abstract

The other day, talking to one of the analysts in Dallas, a question emerged about analyzing Parallels’ virtual machine hard drives.  To my surprise, I did not find many help on this issue on-line and did not find tools that would interpret the file system in Parallels’ hard drive images.  The simplest way I wanted to approach this issue is by converting the hard drive image to something simpler like a dd image.  I found a very nice article on how to convert to a plain hard drive image using Parallels Image Tool that comes with Parallels Desktop( http://digfor.blogspot.com/2009/08/mounting-parallels-hdd-and-hds-files.html), but I had no access to a Mac and wanted to see if there is a way to do this on Windows.  There was VMware vCenter Converter ( free software – http://www.vmware.com/products/converter ), but it did not by giving a message the it could not recognized it.  I also found an interesting tool MakeVM – http://www.sysdevsoftware.com/soft/makevm.php that looked very promising, but the demo version would not convert an image size larger than 2GB.  So, I wanted to look further into other options.  This article is about the findings of that “journey”.

Results

Parallels Workstation comes with a few command line tools for basic drive manipulation like prl_disk_tool or prl_conver, but the best converter, I found, is the latest Open Source project QEMU.

Qemu-1.0.1-windows.zip http://lassauge.free.fr/qemu/

One of the utilities in QEMU is qemu-img where the help file reveals the value of this simple utility, when it comes to converting image types.  The latest version just added the parallels’ image format support.  “Supported formats: blkdebug blkverify bochs cloop cow dmg nbd parallels qcow qco w2 qed host_device file raw sheepdog vdi vmdk vpc vvfat”

Example

Step 1. I have downloaded Parallels Workstation trail version to create a virtual machine for testing and to make sure my findings will be applicable to the latest version of Parallels.
Parallels Workstation Build 6.0.13976
( Revision 769982; June 8, 2012 )


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Step 2. Created a virtual machine ( Windows 2008 Server ) with a 20GB hard drive.

Step 3. Used qemu-img utility to convert the image into a raw image
qemu-img.exe convert -f parallels -O raw “Windows Server 2008-0.hdd.copy.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds” f:\temp\otput.dd

Step 4. Opened the image in FTK Imager to analyze the data

Parallels converted hard drive image in FTK Imager

Step 5. Notes: If the hard drive image is split into 2GB chunks, then you can use the Parallels’ command line tool to merge the images before converting or use the GUI to edit the hard drive image.

prl_disk_tool convert –hdd <disk_path> [–plain|expanding] [–split|–merge]

he same task Parallel allows you to split or merge the virtual hard drive as you edit the properties of the drive. This is much easier to use then CLI.

I will test other uses of this simple tool or if you know other ways to accomplish the same task, please share.

1 thought on “Parallels hard drive image converting for analysis”

  1. As far as I am informed, you can mount vmdk and some other virtual file formats right away in X-Ways Forensics… Maybe give it a try or have a look at the release notes… Nice article though! Last but not least, you always have the opportunity to boot the system from a working copy and image the data using the live system…

Leave a Comment

Latest Videos

Latest Articles