From time to time in digital forensics it can be very useful to see the operating system as the user would have seen it. In the case of computers, you could clone the hard-disk drive and boot the original machine from the clone, but more often than not a virtual machine (VM) is an easier solution.
Whilst working on a case which involved OSX 10.6 'Snow Leopard', it became apparent that a VM would be useful. Given that the hard-disk drive I was examining was 500GB and I was working on a PC, I wasn't really sure how I'd approach the problem. My colleague simply stated that I should give it a go with VirtualBox. He said it as if it was the most simple thing in the world!
It kinda was. And all achieved with free tools.
Creating the VM
Borrowing heavily from MacBreaker's excellent article 'How to install a Snow Leopard Hackintosh in Virtualbox [Windows]', I fired up VirtualBox and created a new VM, selecting 'Mac OSX' as the Operating System and 'Mac OS X Server (64 bit)' as the Version:
I gave the machine 2GB of RAM but unchecked 'Start-up Disk' as I didn't want a disk - I'd be using the suspect's.
Mounting the E01
I had already acquired an E01 of the hard disk drive, so, using FTK Imager 3, I mounted it as 'Physical Only' (because I didn't need the individual partitions) and it became PhysicalDrive5:
I then went back to my VM settings and expected to be able to add 'PhysicalDrive5' as storage. I couldn't. In VMWare Workstation, you can simply choose to use a physically attached disk as the disk of your VM, but this option was nowhere to be seen in VirtualBox.
Creating the VMDK from the mounted E01
However, a quick search of the VirtualBox manual brought up 'Using a raw host hard disk from a guest' and showed me that I could make a vmdk from PhysicalDisk5 straight from the command prompt:VBoxManage.exe internalcommands createrawvmdk -filename C:\physicaldisk5.vmdk -rawdisk \\.\PhysicalDisk5Having made a vmdk file from an E01 file presents a problem: the hard disk drive is read-only. If I were to try and run the VM now, it would complain during boot that the disk is not writeable and not make it very far.
Once again, the VirtualBox manual saves the day. The section on 'Special image write modes' told me that I had two ways of solving my problem depending on which best suited my needs. Both solutions make use of a differential disk, that is, a disk which stores the difference between the original disk and any changes that are made during operation of the VM.
I could set the vmdk to be 'immutable' meaning that every time the VM is restarted the differential disk is wiped, so I'd always get a clean boot of the E01. Or, I could set the disk to be 'multi-attach' meaning that the differential disk is not wiped so any changes are maintained through restarts of the VM.
I opted for 'multi-attach':
Adding the VMDK to the VM
With the vmdk created and modified, I could now add it to the VM by right-clicking the VM and selecting 'Settings...', navigating to 'Storage', selecting 'Add Hard Disk', and then browsing for the vmdk file:
Clear the EFI checkbox
Now, because I'd told VirtualBox that the VM was going to be OSX, it checked the EFI box for me, however, according to MacBreaker, this is the wrong kind of EFI. They seem to know their stuff so within the VM settings, I navigated to 'System' and cleared the 'Enable EFI' checkbox:
Attach iBoot ISO to make the system bootable
The final hurdle is that the hard-disk drive would not actually be bootable in this environment. Luckily, there's an easy solution to that too. The good folks over at tonymacx86 have built, (amongst many other things!), a handy iBoot ISO. By initially booting from this ISO I can then continue to boot from the OSX hard-disk drive.I needed to register with tonymacx86, but it was free and as I'm sure I'll be doing work with OSX on PCs in the future, it seems like it's going to be a great resource. Once registered, I found the iBoot ISO on the downloads page:
I attached the ISO to the VM via 'Storage' in the VM settings and booted the VM. I was greeted by a boot screen that allowed me to continue to boot from the OSX hard-disk drive (click in the VM to capture the input devices, hit an arrow key to move to the hard-disk drive, and then hit enter):
And after a few warnings about mouse integration I was eventually greeted with my suspect's desktop:
All things considered, that was pretty easy. I can now navigate around my suspect's machine and the performance of the VM is almost as good as any Windows guest.
A few considerations:
- There are probably licensing issues using OSX in this manner. In my opinion I'm using it for the purposes of Law Enforcement, so I feel that's an appropriate use.
- The machine I did this on (the host machine) has an Intel Core2 Quad processor - I am nowhere near knowledgeable enough to comment on what architectures are compatible.
- Even though it worked perfectly first time, later booting could be a bit buggy. Sometimes it would hang just before displaying the user's desktop, or the mouse wouldn't work. I found simply rebuilding the VM from scratch was sometime necessary (which is why the keen-eyed amongst you will have noticed the screenshots come from more than 1 VM!)
Comments