Selasa, 29 Agustus 2006

Liveview

12.46    No comments

Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images.

I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get.

Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at realdigitalforensics.com to patch the image.


orr:/home/richard$ ls -al *.gz
-rw-rw-rw-  1 richard  richard  181673834 Aug 29 15:06 BRJDEV.dd.gz
-rw-rw-rw-  1 richard  richard  389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ ls -al patch0001.bin 
-rw-r--r--  1 richard  richard  42635114 Mar  7 12:16 patch0001.bin
orr:/home/richard$ dd if=patch0001.bin of=BRJDEV.dd.gz bs=512 seek=271560 
83271+1 records in
83271+1 records out
42635114 bytes transferred in 5.059636 secs (8426518 bytes/sec)

orr:/home/richard$ ls -al *.gz
-rw-rw-rw-  1 richard  richard  181673834 Aug 29 15:26 BRJDEV.dd.gz
-rw-rw-rw-  1 richard  richard  389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ md5 BRJDEV.dd.gz
MD5 (BRJDEV.dd.gz) = 3f274b39803068d69f8b62730e101d64

Since BRJDEV.dd.gz had the proper MD5 hash, I moved it over to my Windows station, gunzipped it, and then ran Liveview. I tried to run Liveview on FreeBSD (it's Java), but I saw too many errors. Liveview is easy enough to use. I pointed it at the proper .dd file, and told it where I wanted the image produced.

Liveview built a .vmx file, a .vmdk file, and told VMware Server where to find the new VM. At this point it looked ready to start, so I fired up VMware Server.

Things started to proceed well. I got a Linux bootloader image, so something was working. The Linux kernel started to load too.

Unfortunately, I didn't get very far. Eventually Linux reported a kernel panic and complained that it was unable to mount the root filesystem.

I believe I would have more success if I used an image of a Windows system, but I do not have one handy.

While writing this blog I found dd2vmdk, a project with similar goals. I bet VMware's P2V might import dd images, but I'm not sure.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)