Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images. I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get.
Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at realdigitalforensics.com to patch the image.
orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:06 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz
orr:/home/richard$ ls -al patch0001.bin
-rw-r--r-- 1 richard richard 42635114 Mar 7 12:16 patch0001.bin
orr:/home/richard$ dd if=patch0001.bin of=BRJDEV.dd.gz bs=512 seek=271560
83271+1 records in
83271+1 records out
42635114 bytes transferred in 5.059636 secs (8426518 bytes/sec)
orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:26 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz
orr:/home/richard$ md5 BRJDEV.dd.gz
MD5 (BRJDEV.dd.gz) = 3f274b39803068d69f8b62730e101d64
Since BRJDEV.dd.gz had the proper MD5 hash, I moved it over to my Windows station, gunzipped it, and then ran Liveview. I tried to run Liveview on FreeBSD (it's Java), but I saw too many errors.
Liveview is easy enough to use. I pointed it at the proper .dd file, and told it where I wanted the image produced.Liveview built a .vmx file, a .vmdk file, and told VMware Server where to find the new VM. At this point it looked ready to start, so I fired up VMware Server.
Things started to proceed well. I got a Linux bootloader image, so something was working. The Linux kernel started to load too.
Unfortunately, I didn't get very far. Eventually Linux reported a kernel panic and complained that it was unable to mount the root filesystem.
I believe I would have more success if I used an image of a Windows system, but I do not have one handy.
While writing this blog I found dd2vmdk, a project with similar goals. I bet VMware's P2V might import dd images, but I'm not sure.
6 comments:
I wouldn't necessarily blame Liveview as the problem. It looks like a VMWare/Linux kernel incompatibility issue. I've had something similar happen with other sata hardware and the initrd ramdisk on RHEL 4. I steer towards VMWare driver compatibility as the issue of not being able to mount the filesystem. The 'request_module[ide-cd]' followed by 'hdc: driver not present' usually means that the driver hasn't been loaded as it should be.
I used a Windows image, but it worked fine...but then, I didn't have any modified binaries:
http://windowsir.blogspot.com/2006/08/liveview.html
Also, if you know anything about what partition is supposed to be the boot partition, just pass it at the bootloader: "root=/dev/hda1".
One possibility here is that the image was taken from a system that was configured to boot off of another drive (say hdc) and vmware is now mapping that drive as hda. In that case the root= line I gave above should let the system boot correctly.
I tried removing the CD-ROM drive from the VMware setup and I also tried passing "linux root=/dev/hda1" to the boot loader. I got the error posted below:
Error image
Same topic, different approach, sanctioned by a "VMWare Champion":
http://www.vmware.com/community/thread.jspa?messageID=15890&
Post a Comment