Liveview

Thanks to this SANS ISC story, I learned of Liveview. It's a program that converts disk images made with dd into VMware images.

I decided to try the program on one of the images from Real Digital Forensics. We provide two images on the DVD: JBRWWW.dd.gz and BRJDEV.dd.gz. JBRWWW.dd.gz is a Windows image. Since we had to zero out Windows binaries in that image, it can't be booted. BRJDEV.dd.gz is a Linux image. The Liveview Web site shows there is "limited" support for Linux, but I decided to see how far I could get.

Before gunzipping BRJDEV.dd.gz, I needed to patch it. For some reason the copy on the book DVD is corrupted. I followed the instructions at realdigitalforensics.com to patch the image.


orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:06 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ ls -al patch0001.bin
-rw-r--r-- 1 richard richard 42635114 Mar 7 12:16 patch0001.bin
orr:/home/richard$ dd if=patch0001.bin of=BRJDEV.dd.gz bs=512 seek=271560
83271+1 records in
83271+1 records out
42635114 bytes transferred in 5.059636 secs (8426518 bytes/sec)

orr:/home/richard$ ls -al *.gz
-rw-rw-rw- 1 richard richard 181673834 Aug 29 15:26 BRJDEV.dd.gz
-rw-rw-rw- 1 richard richard 389144043 Aug 29 14:34 JBRWWW.dd.gz

orr:/home/richard$ md5 BRJDEV.dd.gz
MD5 (BRJDEV.dd.gz) = 3f274b39803068d69f8b62730e101d64

Since BRJDEV.dd.gz had the proper MD5 hash, I moved it over to my Windows station, gunzipped it, and then ran Liveview. I tried to run Liveview on FreeBSD (it's Java), but I saw too many errors. Liveview is easy enough to use. I pointed it at the proper .dd file, and told it where I wanted the image produced.

Liveview built a .vmx file, a .vmdk file, and told VMware Server where to find the new VM. At this point it looked ready to start, so I fired up VMware Server.

Things started to proceed well. I got a Linux bootloader image, so something was working. The Linux kernel started to load too.

Unfortunately, I didn't get very far. Eventually Linux reported a kernel panic and complained that it was unable to mount the root filesystem.

I believe I would have more success if I used an image of a Windows system, but I do not have one handy.

While writing this blog I found dd2vmdk, a project with similar goals. I bet VMware's P2V might import dd images, but I'm not sure.

Comments

Anonymous said…
I wouldn't necessarily blame Liveview as the problem. It looks like a VMWare/Linux kernel incompatibility issue. I've had something similar happen with other sata hardware and the initrd ramdisk on RHEL 4. I steer towards VMWare driver compatibility as the issue of not being able to mount the filesystem. The 'request_module[ide-cd]' followed by 'hdc: driver not present' usually means that the driver hasn't been loaded as it should be.
Anonymous said…
I used a Windows image, but it worked fine...but then, I didn't have any modified binaries:
http://windowsir.blogspot.com/2006/08/liveview.html
Anonymous said…
Also, if you know anything about what partition is supposed to be the boot partition, just pass it at the bootloader: "root=/dev/hda1".

One possibility here is that the image was taken from a system that was configured to boot off of another drive (say hdc) and vmware is now mapping that drive as hda. In that case the root= line I gave above should let the system boot correctly.
I tried removing the CD-ROM drive from the VMware setup and I also tried passing "linux root=/dev/hda1" to the boot loader. I got the error posted below:

Error image
Anonymous said…
Same topic, different approach, sanctioned by a "VMWare Champion":

http://www.vmware.com/community/thread.jspa?messageID=15890&
red said…
This comment has been removed by a blog administrator.
I'm afraid I don't have the patch referenced in this post.
Check my books page for links to the original evidence found on the DVD.

https://taosecurity.com/books.html
Unfortunately, I checked the files in my archive and the files from my own DVD and all the copies of BRJDEV.dd.gz that I have are corrupted.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics