Booting a dd image with Vmware

Posted on Updated on

Sometimes as an incident responder we get called on to analyze a system that has already been “looked at” by another admin or desktop support personnel. Most of the time, I tell them the evidence has been trampled on by different malware scanning software and just re-image the system. But, sometime you may need to do analysis on the system.

In this instance, a number of different malware products had been ran, along with clearing temp files and Internet cache, but the system was still showing signs of infection.  After building a timeline , I was able to determine that the initial infection vector had been deleted and the malware hosting site had been pulled off-line.  The system had a nasty rootkit that was injecting code into a couple of processes. I didn’t have time to run it through ollydbg or  Ida Pro.

I needed a quick way of determine the capabilities of the malware, so I decided to boot a copy of the original dd image using vmware and then do behavioral analysis on the system. I could have used software such as Live View, but I wasn’t sure how well it worked with Linux as my host OS. Harlan Carvey did a great post in 2007 about booting a dd  image using vmware, I wanted to turn that idea into a procedure.

Methodology

  1. Make sure you are using a backup copy of the dd image, as this will make changes to the image file.
  2. Launch Prodiscover Basic
    a. Select ->Image convert tools -> Vmware support for DD Images
  3. Select  the dd file
  4. In the same folder as the dd file it will create a .vmdk file.

5.Create a new virtual machine. Use the wizard and select typical machine, install OS later and Guest OS and take default setting on all the rest.

6.Select VM Settings. Under VMware 7.0 choose the Vm Menu ->Setting

7.Remove the default hard drive

8. Select add-> hard disk then next

9.Select use existing virtual disk. Browse to the new vmdk file created.

10. Boot the VM.

11. Use the process described in a previous post to determine what the malware is doing. Make sure that you use the applications that you are worried about the malware interacting with. For example, if you are worried about a web-based credential stealing malware, try logging into site like E-bay, Citibank and maybe a custom app from your company. Make sure you are using fake credentials if you do not want to potentially leak real  ones.

Dark reading just recently had a post on a Java based command line tool to for doing this. I have yet to use it, but it may be worth checking out.

Advertisements

15 thoughts on “Booting a dd image with Vmware

    Stephen said:
    November 6, 2010 at 6:56 pm

    Tried this but ProDiscover did not seem to put in the correct entries for the image? Did you have to manually specify the CHS or any other parameters per:
    http://www.schatzforensic.com.au/2006/p2v/
    http://www.vmforensics.org/2010/06/command-line-tool-to-convert-dd-to-vmdk-file—raw2vmdk.html

      twsecblog said:
      November 9, 2010 at 2:19 pm

      I did not have to make any manual changes to the disk file themselves. After you have Prodiscover create the virtual disk, you need to create a new VM and add the disk to the VM. What error are you getting when you try to add the disk to the VM?

        Stephen said:
        November 11, 2010 at 1:38 pm

        When using the *.vmdk file that were produced by ProDiscover I would get a permission denied statement from VMWare. I was able to generate files using LiveView which produced similar files. I think part of the issue was ProDiscover was not determining the correct geometry of the disk images I was working with.

    John Y said:
    October 27, 2011 at 4:48 pm

    has anyone received a permission error for the VMDK file ?

      twsecblog said:
      October 27, 2011 at 5:44 pm

      Whats the exact error you receiving? You need to be sure that the dd file has read/write permissions. If you are doing this for forensics, make sure this is a 2nd/3rd copy of the image you will be making changes to.

    sam said:
    February 6, 2012 at 6:29 pm

    I got the permission error but all had to do is run vmware with sudo, however it will not boot. I didn’t get any errors after that, but it will hang there not doing anything. This a win 7 X64. I did the same process with a XP system and it did boot but it gave me the error of missing some system32 files.

      twsecblog said:
      February 6, 2012 at 6:52 pm

      Sam,

      If you hit escape at the Windows 7 boot screen, is there an error?

    Booting a dd image with Vmware said:
    March 1, 2012 at 5:38 am

    […] […]

    Lee said:
    March 4, 2012 at 12:49 am

    I noticed that if you image a solid state drive (SSD) and create a vm, with either Live View or ProDiscover Basic, a Windows’ OS will try to load and recycle back and try again. However, this does not happen with traditional hard drive vm images. Could it be because of the SSD does not recognize where the MBR is located? Has anyone experience this episode?

      twsecblog said:
      March 5, 2012 at 2:23 pm

      Lee,

      Thanks for the comment. I’ve yet to Image a SSD, but when you DD the SSD it should be just as the same as other DD’s. The controller does all the work with wear leveling and simulating a normal drive. What is the MMLS output from the image vs. the original drive? They should match up.

    Lee Ramos said:
    March 7, 2012 at 7:36 pm

    Well it looks like it’s not a SSD issue… I’m honing in on the issue. It looks like it could be with the way Window 7 OS 64-bit version boots up. Each time I try, I see the bottom message (bar indicator)that it’s getting ready to boot but never does. Have you tried the 64-bit version? I’m going to try the 32-bit version as a sanity check. I seen 32-bit work but not 64-bit…

    Kind regards,

      twsecblog said:
      March 8, 2012 at 4:24 pm

      I havent booted a 64-bit cloned drive of Windows 7. You might want to try safe mode boot first. Does the other system have some weird hardware? Maybe a TPM or something else that VMware is having issues with. Check the event log from safe mode. SHould give you a better idea what maybe happening.

    Lee Ramos said:
    March 7, 2012 at 7:47 pm

    Yes, the mmls does match. So, as you said it should be the same.
    Thanks.

    Lee said:
    March 11, 2012 at 1:03 am

    Well… first of all, I needed to enable Intel VT (Virtualization Technology) on my Dell E6400, 8G RAM, laptop, which got me closer… My Windows 7 64-bit Pro GUEST reaches to the point of booting (when the four Microsoft icons come together) and then gives me the blue screen. I get:

    Technical Information:
    *** STOP: 0x0000007B (0xFFFFF880009A9928, .. )

    I can’t seem to find any meaningful solution for this error message, not even an individual who has tried Windows 7 64-bit Pro/Ultimate as a VMware GUEST, just 32-bit.

    Regards,

      twsecblog said:
      March 14, 2012 at 1:54 pm

      Lee,

      After some quick googling it looks like this may be a hard drive mode/driver problem. If you switch from/to AHCI mode then the wrong driver will be loaded. Its possible that is whats going on. Safe mode should help you with this, and change the disk setting. Also you might want to use the latest version of VMWare player/Workstation if safe mode dosen’t help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s