Working with Virtual Machines
Throughout the course of investigations, you run into individuals who have all types of technical backgrounds. For times when you look at evidence from a more technically savvy user, you may run into virtual machines installed on the machine. Virtual machines are separate instances of an operating system that you can run virtually. A laptop that’s running a Windows machine on the bare metal could also be running a virtual machine that may use Linux or a different instance of Windows.
VMware Virtual Machines
When you run into a VMware Virtual Machine, the process is fairly straightforward. You open up the folder where the virtual machine is located and copy the VMDKfile to a location of your choice on your machine and use Autopsy to add it as a data source. Autopsy will be able to ingest the VMDK and parse out all its data. Straight from Autopy’s release notes:
However, when you run into a Mac that has Parallels (another virtual machine application) installed, you will first need to convert the image into a raw format as Autopsy cannot ingest Parallels’ PVM file. Let’s see what it takes to make that conversion below.
Getting Setup for Parallels Virtual Machines
Since this VM is hosted on a Mac, we’re going to do this on a Mac. The first step (after having Homebrew installed) is to install QEMU, which is an open-source hypervisor. Type in “brew install qemu”.
After the package is installed, we can ensure that it’s working properly with a good old help command “qemu-img --help.” You should see output similar to what’s below.
Now let’s navigate to where our Parallels virtual machines are located. Right click on the machine you’re interested in and select “Show Package Contents”.
Once you’ve done that, you’ll be shown the contents within the pvm file.
Now, we’re going to have to right click one more time on the ‘hdd’ file and “Show Package Contents” again. Last time, I promise!
Finally, you will see the following contents. The one we want to focus on is the hds file with the unique identifier.
Final Conversion
Now you want to copy out the .hds file to somewhere convenient so you can continue to work with it. I’ve copied it to my desktop.
With it on our desktop, we can now use qemu to convert it to a raw image. The command is “qemu-img convert -f parallels “HDS file” -O raw “name of raw file”. Where “HDS file” is the file we previously copied and “name of raw file” is the name of the new raw file we are creating, in this case it’s “Win10Image.raw”.
We can now take that raw image into Autopsy and load the image. As you can see below, it’s been converted to a raw file and we can now take a look at the forensic image.
Conclusion
Our forensic tools are built to handle a lot of data and different data types; but sometimes, there are things we need to adjust or convert to get things working properly. Virtual machines are one of those things in which some types have support and others don’t. If you ever run into a Mac with Parallels virtual machines installed, we hope this guide will make it easier to take a look at the data.
