Tuesday, June 20, 2017

Virtualization of a raw image of an Apple OS X system

Years ago Jimmy Weg wrote an awesome blog post on how to create a VMware virtual machine from a raw image file. This is my follow-up on how to virtualize Apple Mac OS X.

Bear in mind that, according to this article in the VMware Knowledge Base: The End User License Agreement (EULA) for Apple Mac OS X legally and explicitly binds the installation and running of the operating system to Apple-labeled computers only.

Having said that, these are the steps to follow.

  1. WinVMDKCreator (the tool was developed by Dana McNeil and was originally available on Jimmy Weg's blog) 
  2. VMware Workstation (this guide was tested against version 12 Pro)
  3. Patch Tool for VMware (see Install Patch Tool for VMware in the article available here). The two pictures below show the difference before and after installing the patch.


#Step 1
Open the raw image with your favorite tool. The following picture shows a Mac mini A1347 I imaged during an investigation. Strangely no encryption was set on that Mac. I haven't tried yet with an encrypted image. I guess you can skip to #Step 3 in that case.

#Step 2
Check which OS X version was installed by looking at the .plist SystemVersion.plist.

In my case the Mac mini was running Mac OS X 10.12 (macOS Sierra).

#Step 3
Launch the WinVMDKCreator tool. Select the image to virtualize under File Data. Tick Set disk image segment file attributes to Read Only. Then press Generate to create the .vmdk file.

#Step 4
Edit with a text editor the .vmdk file just created. Change the value of ddb.virtualHWVersion according to the version used of VMware Workstation.

For instance, if you're using VMware Workstation 12: ddb.virtualHWVersion = "12"

#Step 5
Launch VMware Workstation. From File choose New virtual machine (custom) and set these settings:

Hardware compatiblity Workstation 12.x
Guest Operating System Installation I will install the operating system later
Select a Guest Operating System Apple Mac OS X
Virtual machine name/Location whatever you prefer
Firmware Type EFI (default setting)
Processor Configuration (default settings)
Memory for the Virtual Machine increase to 4096 MB
Network Type Do not use a network connection
SCSI Controller LSI Logic (default setting)
Virtual disk type SATA (default setting)
Select a Disk Use an existing virtual disk
Existing Disk File Click Browse and Open the .vmdk file we previously created with WinVMDKCreator

Click Finish and close VMware Workstation.

#Step 6
Use a text editor to modify the <VirtualMachineName>.vmx file stored in the VM folder.

Append this line at the end of the file:

smc.version = "0"

Without the line above, the VM won't start and will show an error message saying "unrecoverable error: (vcpu-0)".

#Step 7
  • Launch VMware Workstation
  • Take a snapshot of the VM
#Step 8
Now you're ready to fire up the VM!


Saturday, April 1, 2017

RegRipper plugin to parse Foxit Reader

Foxit Reader is a popular free PDF Reader. Like any other program it keeps a file history. This is the Recent Files list shown to the user when the program is launched:

Foxit Reader stores the MRUs under the File MRU and Place MRU subkey in the NTUSER.DAT hive. They are named Item1 – Item50 and hold up to 50 of the last PDF file/path opened. Item 1 contains the most recent value while Item 50 is the oldest last. History\LastOpen contains additional details that I'll mention later.

As a test, I opened 50 different files named with numbers: I first opened a file named 01.pdf, then 02.pdf and so on up to 50.pdf.

Under History\LastOpen, Foxit Reader stores for each file some important information like the page number of the last page read, the zoom level used and the view mode. As you can notice from the picture below, the page number counter starts at "0". That means that page number "1" in a PDF file is stored as "0" in the registry.

I wrote a plugin for RegRipper to parse all these values by adapting a couple of existing plugins (adoberdr.pl by H. Carvey and iexplore.pl by E. Rye). The code I wrote is far from perfect since I've never programmed in Perl...but it works ;) 

My foxitrdr.pl plugin can be downloaded from here.

[UPDATE 11/April/2017]: My plugin was added to the official RegRipper repository. Thanks Harlan!

Friday, March 31, 2017

Customizing the filter type in X-Ways Forensics

The Filter:Type in X-Ways Forensics is one of my favorite filters. After many uses, I started thinking on how to make it more suitable for my needs.

This is my tweaked version:

This is a quick summary of the changes:
  • the categories are sorted alphabetically;
  • some categories were renamed;
  • there are now new categories like Network/Packets and Memory;
  • some extensions were moved to other categories;
  • some new extensions/filenames were added to the list.

If you want to give it a try, replace the two files "File Type Categories.txt" and "File Type Categories User.txt" in your installation folder with the ones you can download from my repository xways-forensics .


[UPDATE 03/April/2017]: I added the category Malware, Ransomware which is based on the Ransomware Overview document.
[UPDATE 11/July/2017]: The custom filter types was added to the Bookmarks menu in the latest version of XWFIM X-Ways Forensics Installation Manager (v1.7.0.0). Thanks Eric!