Mounting virtualbox vdi disk: An authentic weblog for achange
Using virtualBox had, of late, made things very easy for me. I am having enough ram to run linux as host OS with windows guest OS.
All the things I need windows specifically, I get to do in the Guest OS. All the normal activities are now in linux.
Using the virtual disk to store valuable information seemed a very nice, and sort of secure, till I finally found i needed some data stored in the virtual file very badly.
My office machine can be connected from my home, but getting the data out was the tricky part.
Stop the Virtual Machine
First problem was that my guest OS was running while I wanted to get the information.
even
will work. Essentially the first line works as if we are trying to switch off the windows machine. The second method works as if the ACPI is going to shut down the machine.
Note that if giving the name of the vm doesnt work for you, you can try giving the command
Figure out how to mount
For this half, I had to use the help of a post
http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html
by hogfly.
I picked up the vditool from the link mentioned in the blog.
http://www.virtualbox.org/download/testcase/vditool
(You have to right click and do "Save Link as.." to save the above file.)
First, you have to ensure that vditool can be executed.
so, first make it executable.
$ ldd vditool
linux-gate.so.1 => (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0065e000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00111000)
librt.so.1 => /lib/librt.so.1 (0x00a00000)
libdl.so.2 => /lib/libdl.so.2 (0x00657000)
VBoxDD.so => /usr/lib/VBoxDD.so (0x00115000)
VBoxRT.so => /usr/lib/VBoxRT.so (0x0090e000)
libstdc++.so.5 => (not installed)
libm.so.6 => /lib/libm.so.6 (0x0062c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00a0b000)
libc.so.6 => /lib/libc.so.6 (0x004d1000)
/lib/ld-linux.so.2 (0x004b2000)
VBoxVMM.so => /usr/lib/VBoxVMM.so (0x00258000)
VBoxDDU.so => /usr/lib/VBoxDDU.so (0x00679000)
VBoxDD2.so => /usr/lib/VBoxDD2.so (0x00340000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00a95000)
VBoxREM.so => /usr/lib/VBoxREM.so (0x00b80000)
libutil.so.1 => /lib/libutil.so.1 (0x00368000)
In my case, the initial output was like above. Watch out the libstdc++-so.5 line. Initially the library was not installed in my machine. So i had to manually install it first before i could run the library. All those VBox libraries will get installed by default in the machine in which you install VirtualBox. In my case, I had to install compat-libstdc++-3.3 package for my Fedora 8 machine.
(The right way is to install the corresponding package in the system. Expert users can definitely pick and put just the libraries from someother machine to
just get things working for the time being, though it is not recommended at all.)
Once you are through installing all the libraries, it should look something like this.
Now comes crucial part.
Find disk offset
use vditool to know the starting offset of the Data in the disk.
For this you should know were your virtual machine's virtual disk is stored. If you didnt do it manually, the default location is ~/.VirtualBox/VDI
Assuming that You have put the vditool file in your home directory, cd to the directory with the vdi file.
actually, you can do a grepping of the output
The number sacred to us is 45568.
Now, a normal vdi file has some meta data and then followed by the actual disk data. The sacred number is the offset from which our windows disk starts. But then this offset point to the place MBR is.
So to get the actual data mount, you have to add 32256 to 45568 giving us the final offset of 77824.
To mount,
You can now start using the disk contents directly.
If you feel there needs to be any improvements, please post a comment.
All the things I need windows specifically, I get to do in the Guest OS. All the normal activities are now in linux.
Using the virtual disk to store valuable information seemed a very nice, and sort of secure, till I finally found i needed some data stored in the virtual file very badly.
My office machine can be connected from my home, but getting the data out was the tricky part.
Stop the Virtual Machine
First problem was that my guest OS was running while I wanted to get the information.
$VBoxManage controlvm "my vm" poweroff
even
$VBoxManage controlvm "my vm" acpipowerbutton
will work. Essentially the first line works as if we are trying to switch off the windows machine. The second method works as if the ACPI is going to shut down the machine.
Note that if giving the name of the vm doesnt work for you, you can try giving the command
$ VBoxManage list vmsThis command will list the Guest OS and the Host OS in the machine with all the glory details. The line that you have to look for is
....You can replace the UUID instead of the name of the vm.
Guest OS: Windows XP
UUID: deadbeef-dead-beef-dead-feebfeebdaed
......
Figure out how to mount
For this half, I had to use the help of a post
http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html
by hogfly.
I picked up the vditool from the link mentioned in the blog.
http://www.virtualbox.org/download/testcase/vditool
(You have to right click and do "Save Link as.." to save the above file.)
First, you have to ensure that vditool can be executed.
so, first make it executable.
$ chmod u+x vditoolThen test whether the binary can be executed or not, by using ldd.
$ ldd vditool
linux-gate.so.1 => (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0065e000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00111000)
librt.so.1 => /lib/librt.so.1 (0x00a00000)
libdl.so.2 => /lib/libdl.so.2 (0x00657000)
VBoxDD.so => /usr/lib/VBoxDD.so (0x00115000)
VBoxRT.so => /usr/lib/VBoxRT.so (0x0090e000)
libstdc++.so.5 => (not installed)
libm.so.6 => /lib/libm.so.6 (0x0062c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00a0b000)
libc.so.6 => /lib/libc.so.6 (0x004d1000)
/lib/ld-linux.so.2 (0x004b2000)
VBoxVMM.so => /usr/lib/VBoxVMM.so (0x00258000)
VBoxDDU.so => /usr/lib/VBoxDDU.so (0x00679000)
VBoxDD2.so => /usr/lib/VBoxDD2.so (0x00340000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00a95000)
VBoxREM.so => /usr/lib/VBoxREM.so (0x00b80000)
libutil.so.1 => /lib/libutil.so.1 (0x00368000)
In my case, the initial output was like above. Watch out the libstdc++-so.5 line. Initially the library was not installed in my machine. So i had to manually install it first before i could run the library. All those VBox libraries will get installed by default in the machine in which you install VirtualBox. In my case, I had to install compat-libstdc++-3.3 package for my Fedora 8 machine.
(The right way is to install the corresponding package in the system. Expert users can definitely pick and put just the libraries from someother machine to
just get things working for the time being, though it is not recommended at all.)
Once you are through installing all the libraries, it should look something like this.
$ ldd vditool
linux-gate.so.1 => (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0065e000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00111000)
librt.so.1 => /lib/librt.so.1 (0x00a00000)
libdl.so.2 => /lib/libdl.so.2 (0x00657000)
VBoxDD.so => /usr/lib/VBoxDD.so (0x00115000)
VBoxRT.so => /usr/lib/VBoxRT.so (0x0090e000)
libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x0019f000)
libm.so.6 => /lib/libm.so.6 (0x0062c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00a0b000)
libc.so.6 => /lib/libc.so.6 (0x004d1000)
/lib/ld-linux.so.2 (0x004b2000)
VBoxVMM.so => /usr/lib/VBoxVMM.so (0x00258000)
VBoxDDU.so => /usr/lib/VBoxDDU.so (0x00679000)
VBoxDD2.so => /usr/lib/VBoxDD2.so (0x00340000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00a95000)
VBoxREM.so => /usr/lib/VBoxREM.so (0x00b80000)
libutil.so.1 => /lib/libutil.so.1 (0x00368000)
Now comes crucial part.
Find disk offset
use vditool to know the starting offset of the Data in the disk.
For this you should know were your virtual machine's virtual disk is stored. If you didnt do it manually, the default location is ~/.VirtualBox/VDI
Assuming that You have put the vditool file in your home directory, cd to the directory with the vdi file.
$ cd /path/to/vdi/fileType says whether it is dynamic or fixed virtual disk. (I dont yet know whther it is important, but mine definitely is fixed. I know it because I made it that way.)
$ ~/vditool DUMP my.vdi
vditool Copyright (c) 2004-2005 InnoTek Systemberatung GmbH.
Dumping VDI image file="my.vdi" into the log file...
Log created: 2008-02-29T13:20:02.737901000Z
Executable: /home/me/vditool
Arg[0]: ~/vditool
Arg[1]: DUMP
Arg[2]: my.vdi
--- Dumping VDI Disk, Images=1
Dumping VDI image "my.vdi" mode=r/o fOpen=1 File=00000004
Header: Version=00010001 Type=2 Flags=0 Size=11811160064
Header: cbBlock=1048576 cbBlockExtra=0 cBlocks=11264 cBlocksAllocated=11264
Header: offBlocks=512 offData=45568
Header: Geometry: C/H/S=22885/16/63 cbSector=512 Mode=3
Header: uuidCreation={deadbeef-dead-beef-dead-feebfeebdaed}
Header: uuidModification={deadbeef-dead-beef-dead-feebfeebdaed}
Header: uuidParent={00000000-0000-0000-0000-000000000000}
Header: uuidParentModification={00000000-0000-0000-0000-000000000000}
Image: fFlags=00000000 offStartBlocks=512 offStartData=45568
Image: uBlockMask=000FFFFF uShiftIndex2Offset=20 uShiftOffset2Index=20 offStartBlockData=0
The operation completed successfully!
actually, you can do a grepping of the output
$ ~/vditool DUMP my.vdi | grep OffData
Header: offBlocks=512 offData=45568
The number sacred to us is 45568.
Now, a normal vdi file has some meta data and then followed by the actual disk data. The sacred number is the offset from which our windows disk starts. But then this offset point to the place MBR is.
So to get the actual data mount, you have to add 32256 to 45568 giving us the final offset of 77824.
To mount,
$mkdir mp
$mount -t ntfs -o ro,noatime,noexec,loop,offset=77824 my.vdi mp
You can now start using the disk contents directly.
$ ls mp
AUTOEXEC.BAT Documents and Settings MSDOS.SYS pagefile.sys
.........
If you feel there needs to be any improvements, please post a comment.
Labels: VirtualBox