Saturday, August 08, 2009

Mounting VHD files in Windows for fun and exploration

This past week I was able to find a “smidgen” of time at work to apply myself on practicing some system-capture work with a forensic LiveCD.  More on that in a upcoming post.

Once I had my dd image file, I then had a number of Windows tools that allowed me to mount it and access/view it for “examination” practice.  Sure, I know that’s old-hat for your forensics professionals but it is cool and useful even to us system admins.

I routinely acquire and “on-line/off-line” mount ImageX WIM’s and can extract files, modify files in the WIM, and perform other actions.  Sure, because it is a file-based image, it isn’t a forensics level sector-based image but if some WIM’s were captured off a suspect system, these techniques would allow easy review and exploration of the contents.  Standard stuff.

That got me thinking; what options exist for mounting VHD files? 

VHD files can be quite interesting.  Not only do they contain “sector” remnants when items are moved/deleted internally to the VHD, but depending on how the VHD was created, it might even inadvertently have captured unused sector information from the original host physical device it was created on.

Or suppose a target was doing something tricky like dual booting Windows 7 on Vista via VHD file (or on Win7 for that matter).  Or maybe they are particularly geeky and attempting to evade a footprint by Running Windows from a USB flash drive via a VHD file (Hyper-V Server in that case).  Probably not a very common (or easy) thing to do but technically it looks possible.  And Vista/Win7 use the VHD format for “Windows Complete PC Backup and Restore” images; for more info see these Vista and Win7 links.

If the incident responder captured the VHD file either as part of a larger system capture or off a USB drive, they could examine the contents forensically at the sector-level, or they could install Virtual PC/Hyper-V and then try loading/running it there.  But what if they wanted to really explore the “system” or VHD file contents “natively”.

Could it be mounted to a Windows system like we can mount WIM files for examination and review?

It appears so!

The easiest method seems to be to just have a Windows 7 system around handy.  VHD mounting is supported natively in Windows 7 (and Vista with a few tweaks).

But maybe you want alternatives?

OK!  Try these on for size.

  • Gizmo Drive – freeware – Amazing utility that contains support for Win2K-Win7 builds.  Allows you to mount ISO,BIN, CUE, NRG files to a virtual CD-ROM drive BUT also allows you to mount VHD files as a virtual drive! Also supports mounting of IMG files to a virtual drive.  Supports mount/unmount commands from Windows Shell and command line.  32/64 bits both supported.  A very headache-free solution in a can.

  • WinMount – commercial ($) - Mount rar, zip, DVD, CD, HDD images (VHD, VDI, and VMDK) as read-only or writeable mode. 32/64 bit supported.

“What” you say?  You want to do it the hard-way in XP/Vista because you just don’t trust such a simple solution and you don’t have a Windows 7 system laying around your work-bench?

Fine.  Be that way.

Be aware that I’m not responsible for any global-warming, polar ice-shelf melting, or scrambling of your own system if you proceed! M’kay?  (It probably will be ok…)

The final trick involves using a Virtual Server tool called VHDmount to mount the VHD file directly into your host Windows OS.

Because this is some serious voodoo, I’m providing quite a few links to get you the foundational knowledge to strike-out on your own.

Anyone know of any other techniques or utilities to mount a VHD file apart from those mentioned here?

--Claus V.

No comments: