Personal Musings

This blog is intended to be just a jumble of thoughts that hit me and need not necessarily mean anything.

My Photo
Name:
Location: Kerala, India

Water flows ...

Friday, February 29, 2008

Mounting virtualbox vdi disk: An authentic weblog for achange

Using virtualBox had, of late, made things very easy for me. I am having enough ram to run linux as host OS with windows guest OS.
All the things I need windows specifically, I get to do in the Guest OS. All the normal activities are now in linux.
Using the virtual disk to store valuable information seemed a very nice, and sort of secure, till I finally found i needed some data stored in the virtual file very badly.

My office machine can be connected from my home, but getting the data out was the tricky part.


Stop the Virtual Machine
First problem was that my guest OS was running while I wanted to get the information.
$VBoxManage controlvm "my vm" poweroff

even
$VBoxManage controlvm "my vm" acpipowerbutton

will work. Essentially the first line works as if we are trying to switch off the windows machine. The second method works as if the ACPI is going to shut down the machine.
Note that if giving the name of the vm doesnt work for you, you can try giving the command
$ VBoxManage list vms
This command will list the Guest OS and the Host OS in the machine with all the glory details. The line that you have to look for is
....
Guest OS: Windows XP
UUID: deadbeef-dead-beef-dead-feebfeebdaed
......
You can replace the UUID instead of the name of the vm.

Figure out how to mount
For this half, I had to use the help of a post
http://forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html
by hogfly.
I picked up the vditool from the link mentioned in the blog.
http://www.virtualbox.org/download/testcase/vditool
(You have to right click and do "Save Link as.." to save the above file.)
First, you have to ensure that vditool can be executed.
so, first make it executable.
$ chmod u+x vditool
Then test whether the binary can be executed or not, by using ldd.

$ ldd vditool
linux-gate.so.1 => (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0065e000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00111000)
librt.so.1 => /lib/librt.so.1 (0x00a00000)
libdl.so.2 => /lib/libdl.so.2 (0x00657000)
VBoxDD.so => /usr/lib/VBoxDD.so (0x00115000)
VBoxRT.so => /usr/lib/VBoxRT.so (0x0090e000)
libstdc++.so.5 => (not installed)
libm.so.6 => /lib/libm.so.6 (0x0062c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00a0b000)
libc.so.6 => /lib/libc.so.6 (0x004d1000)
/lib/ld-linux.so.2 (0x004b2000)
VBoxVMM.so => /usr/lib/VBoxVMM.so (0x00258000)
VBoxDDU.so => /usr/lib/VBoxDDU.so (0x00679000)
VBoxDD2.so => /usr/lib/VBoxDD2.so (0x00340000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00a95000)
VBoxREM.so => /usr/lib/VBoxREM.so (0x00b80000)
libutil.so.1 => /lib/libutil.so.1 (0x00368000)

In my case, the initial output was like above. Watch out the libstdc++-so.5 line. Initially the library was not installed in my machine. So i had to manually install it first before i could run the library. All those VBox libraries will get installed by default in the machine in which you install VirtualBox. In my case, I had to install compat-libstdc++-3.3 package for my Fedora 8 machine.
(The right way is to install the corresponding package in the system. Expert users can definitely pick and put just the libraries from someother machine to
just get things working for the time being, though it is not recommended at all.)
Once you are through installing all the libraries, it should look something like this.

$ ldd vditool
linux-gate.so.1 => (0x00110000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0065e000)
libuuid.so.1 => /lib/libuuid.so.1 (0x00111000)
librt.so.1 => /lib/librt.so.1 (0x00a00000)
libdl.so.2 => /lib/libdl.so.2 (0x00657000)
VBoxDD.so => /usr/lib/VBoxDD.so (0x00115000)
VBoxRT.so => /usr/lib/VBoxRT.so (0x0090e000)
libstdc++.so.5 => /usr/lib/libstdc++.so.5 (0x0019f000)
libm.so.6 => /lib/libm.so.6 (0x0062c000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00a0b000)
libc.so.6 => /lib/libc.so.6 (0x004d1000)
/lib/ld-linux.so.2 (0x004b2000)
VBoxVMM.so => /usr/lib/VBoxVMM.so (0x00258000)
VBoxDDU.so => /usr/lib/VBoxDDU.so (0x00679000)
VBoxDD2.so => /usr/lib/VBoxDD2.so (0x00340000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00a95000)
VBoxREM.so => /usr/lib/VBoxREM.so (0x00b80000)
libutil.so.1 => /lib/libutil.so.1 (0x00368000)

Now comes crucial part.

Find disk offset
use vditool to know the starting offset of the Data in the disk.

For this you should know were your virtual machine's virtual disk is stored. If you didnt do it manually, the default location is ~/.VirtualBox/VDI

Assuming that You have put the vditool file in your home directory, cd to the directory with the vdi file.

$ cd /path/to/vdi/file

$ ~/vditool DUMP my.vdi
vditool Copyright (c) 2004-2005 InnoTek Systemberatung GmbH.

Dumping VDI image file="my.vdi" into the log file...
Log created: 2008-02-29T13:20:02.737901000Z
Executable: /home/me/vditool
Arg[0]: ~/vditool
Arg[1]: DUMP
Arg[2]: my.vdi
--- Dumping VDI Disk, Images=1
Dumping VDI image "my.vdi" mode=r/o fOpen=1 File=00000004
Header: Version=00010001 Type=2 Flags=0 Size=11811160064
Header: cbBlock=1048576 cbBlockExtra=0 cBlocks=11264 cBlocksAllocated=11264
Header: offBlocks=512 offData=45568
Header: Geometry: C/H/S=22885/16/63 cbSector=512 Mode=3
Header: uuidCreation={deadbeef-dead-beef-dead-feebfeebdaed}
Header: uuidModification={deadbeef-dead-beef-dead-feebfeebdaed}
Header: uuidParent={00000000-0000-0000-0000-000000000000}
Header: uuidParentModification={00000000-0000-0000-0000-000000000000}
Image: fFlags=00000000 offStartBlocks=512 offStartData=45568
Image: uBlockMask=000FFFFF uShiftIndex2Offset=20 uShiftOffset2Index=20 offStartBlockData=0
The operation completed successfully!

Type says whether it is dynamic or fixed virtual disk. (I dont yet know whther it is important, but mine definitely is fixed. I know it because I made it that way.)

actually, you can do a grepping of the output
$ ~/vditool DUMP my.vdi | grep OffData
Header: offBlocks=512 offData=45568

The number sacred to us is 45568.
Now, a normal vdi file has some meta data and then followed by the actual disk data. The sacred number is the offset from which our windows disk starts. But then this offset point to the place MBR is.
So to get the actual data mount, you have to add 32256 to 45568 giving us the final offset of 77824.
To mount,
$mkdir mp
$mount -t ntfs -o ro,noatime,noexec,loop,offset=77824 my.vdi mp


You can now start using the disk contents directly.

$ ls mp
AUTOEXEC.BAT Documents and Settings MSDOS.SYS pagefile.sys
.........





If you feel there needs to be any improvements, please post a comment.

Labels:

At last wakes up the sage from a mysterious sleep, but still very tired as if he was working hard all through.

It may not seem sane, but then who knows what goes through when a sage sleeps. For only a sage knows whether he is or not.

That brings us to the age old quote:

Quis custodiet ipsos custodes?
Now the role of gaurdians has increased even more. Only, now they are called as regulators and anti-terrorism cells.There is no better example than the story of Gen (Retd) Musharaf. (Did i make a mistake by calling him 'Gen'???) Musharaf it seems was so fixated with ruling Pakistan, and coming out of his self-imposed rule aive that he did the best thing to safe-gaurd his interests - lick USA's arse. So there he was catching Bush's neocon policy with his own hand and lending to the concept of terror, all the while making his place safe. The issue is that no pakistani could actually do anything about it. Now the results of the electin seem to talk a little different, but then look at the election turnout.
Bush can tell back home that he has brought democracy in pakistan, though he was supporting a dictator for a very long time. He gave Musharaf enough money that if the people who ate money survived the regime change, then they can simply retire and still be able to feed 3 generatoins. Musharaf got to enjoy full power for some time. Bush got away with spending more oney than he could ever spend and still say he was good at it. But then after all the gaga any man can say these people went free because there was no one to call foul.

That brings us to the main question, how can we actually root out the evils from coming in? The essence of solving the problem in the so-called democratic form of government is to ensure that nobody comes up with enough clout to actually make any change in the State. Even if some one does come around, the negative pull on him/her will always be so high that nothing positive could be brought out.
More good had come out during the time of Saddam Hussein, than the two Bush administrations. If you dont trust these words, just look at the state of US economy at the end of the 2 Bush eras. Both Bush administrations converted a good US economy to an economy with recession and war expenditure to top the hardships. A more single-minded Saddam government could actually set changes in the lives of the selected people. But a US with the so-called democratic government couldnt control not just one, but 2 lunatics.

Devolution of power, it seems, is a euphemism for ensuring nobody is left powerful enough to do anything positive. At least, instances like Musharaf will logically be not so rampant then. But then, is democracy so nice after all?

From the start it has been so that democracy had existed without a clear definition of it. The oft quoted "government of the people, by the people, for the people" is so meaningless that everyone feels that it is something extremely great, but just out of the reach of their brains. People are still upholding this talk, because still they havent realized that it was just another publicity stunt. Democracy has always been used by power-hungry people to wrest as much power as is possible, because they are afraid of having to loose the little power that they will gain from the exercise. Even more horrible is the state of the select few, who would rather have no power, if they can ensure that no one else will ever get full power.

Is there any government in which a single party has taken full control of the legislature and the executive arms right now? Even if you may some how spell ot one or two names, a deeper analysis will always show that even the so-called single party that gets into power is so bifurcated that even for a good policy, you will find a sizeable number of people opposing it because of outside influence from own party. It is high time we realize, that democracy is only as good as holding out a dictatorship from happening a few more years. The current mechanism is so flawed that a violent show down will occur anytime. The successful States are only those that delay the final break down as much as possible. It is something like saying, "X went down after having one and half pints of wine, while Y couldnt last more than one".

Labels: ,