Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File

by Nanni Bassetti

Sometimes during a computer forensic investigation, we need to virtualize our image disk, because it could be useful for checking or finding something of interest.

If we need to virtualize a disk image file, we can:

  1. Convert the image file in VDI/VMDK
  2. Use GNU/Linux and XMount

The first point is very space and time consuming, indeed if we have a disk image of 1Tb in size, we need another 1Tb to store the VDI/VMDK virtual disk for feeding our Virtual Machine and the conversion process is time wasting.

In GNU/Linux we can use XMount which is very comfortable because we don’t need to convert the image file in Virtual Disk file format, it “allows you to convert on-the-fly between multiple input and output harddisk image types. Xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.

If we are working in MS Windows, we don’t have a corresponding tool, so I decided to study a method to do it.

The steps are these:

  1. We need to have a Physical disk in Windows, starting from a disk image file.
  2. We need the virtual write access redirected to an external cache file, for not changing the image file.
  3. We need a special command for creating a virtual representation of the input image for an on-the-fly conversion.

All those points can be reached by manually running some tools and commands:

  1. We have to run VirtualBox to create a VM with no disk.
  2. We need to run Arsenal Image Mounter, because it can mount an image file as a real Physical disk in Windows and it can mount in write mode saving the changes in an external cache file.
  3. We need to put offline the mounted disk for avoiding the write attempts, those fail during the boot of the V.M..
  4. We need the VBoxManage command to create the VMDK file on-the-fly.

All those steps can be done manually launching tools and writing commands, but I know that people are bored doing it that way, so I made a GUI using Lazarus to automate it.

Imm2Virtual

Pressing the first button we can create an empty V.M. and we name it (e.g. testvm).
Pressing the second button we run Arsenal Image Mounter and we have to mount in this way:

Then we have to put OFFLINE the image disk just mounted, using the Windows command DISKPART

 

Type LIST DISK, see the disk number of your mounted disk image file (e.g. number 2) and then write SELECT DISK number (e.g. SELECT DISK 2). Now put the disk offline by typing OFFLINE DISK.

And now let’s create the virtual VMDK disk, this is the manual procedure, but Imm2Virtual can do it for you simply writing the disk name you chose and the physical disk number.

‘”C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” internalcommands createrawvmdk -filename ‘ ‘”C:\Users\USER_NAME\VirtualBox VMs\DISK_NAME\DISK_NAME.vmdk” -rawdisk \\.\PhysicalDriveX’

where

USER_NAME is your user name, Windows account.
DISK_NAME is the name you chose for your virtual machine.
PhysicalDriveX is the Physical Drive where Arsenal Image Mounter has mounted your disk image file. (e.g. PhysicalDrive2).

Finally we can add our new brand VMDK disk to our Virtual Machine and run it!

Imm2Virtual is an Open Source program. https://github.com/nannib/Imm2Virtual 

Author
Nanni Bassetti – http://www.nannibassetti.com
Digital Forensics consultant

1 thought on “Imm2Virtual: A Windows GUI To Virtualize Directly From Disk Image File”

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles