Español | English
rss facebook linkedin Twitter

Live Forensics Mac OS X (II)

Continuing on from last week's post, we are going to look at what's needed to correctly virtualize a physical disk with a Mac OS X operating systems, this time using VMWare.

The following are needed:

  • Qemu
  • VMWare Player
  • Empire EFI (Latest version for Intel processors that includes the generic and Legacy versions)

We use VMWare Player since it is a free solution and given that, in this case, it has no EFI support, we will use the alternative Empire EFI boot system. Empire EFI is no more than an ISO that can serve as a boot disk for Mac OS X systems that make use of the Chameleon bootloader.


Firstly, the image of the physical disk obtained beforehand is converted to an image compatible with VMWare using Qemu in the following way:

 $sudo qemu-img convert –f raw imagen.dd –O vmdk imagen.vmdk

Then we need to generate a configuration (.vmx) file associated with the above file. To do that we create a text file with a .vmx extension and we add something like the following:


#!/usr/bin/vmware
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "7"
numvcpus = "4"
cpuid.coresPerSocket = "4"
scsi0.present = "TRUE"
scsi0.virtualDev = "lsilogic"
memsize = "2048"
ide0:0.present = "TRUE"
ide0:0.fileName = "imagen.vmdk"
ide1:0.present = "TRUE"
ide1:0.autodetect = "TRUE"
ide1:0.deviceType = "cdrom-image"
floppy0.startConnected = "FALSE"
floppy0.fileName = ""
floppy0.autodetect = "TRUE"
ethernet0.present = "TRUE"
ethernet0.connectionType = "nat"
ethernet0.virtualDev = "e1000"
ethernet0.wakeOnPcktRcv = "FALSE"
ethernet0.addressType = "generated"
usb.present = "TRUE"
ehci.present = "TRUE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
pciBridge0.present = "TRUE"
pciBridge4.present = "TRUE"
pciBridge4.virtualDev = "pcieRootPort"
pciBridge4.functions = "8"
pciBridge5.present = "TRUE"
pciBridge5.virtualDev = "pcieRootPort"
pciBridge5.functions = "8"
pciBridge6.present = "TRUE"
pciBridge6.virtualDev = "pcieRootPort"
pciBridge6.functions = "8"
pciBridge7.present = "TRUE"
pciBridge7.virtualDev = "pcieRootPort"
pciBridge7.functions = "8"
vmci0.present = "TRUE"
roamingVM.exitBehavior = "go"
displayName = "Mac OS X"
guestOS = "darwin"
nvram = "imagen.nvram"
virtualHW.productCompatibility = "hosted"
extendedConfigFile = "imagen.vmxf"
ide1:0.fileName = "LegacyBootCD.iso"
ethernet0.generatedAddress = "00:0c:29:bc:86:69"
uuid.location = "56 4d c6 30 f2 64 ca 05-a7 fd bc ba bb bc 86 69"
uuid.bios = "56 4d c6 30 f2 64 ca 05-a7 fd bc ba bb bc 86 69"
cleanShutdown = "TRUE"
replay.supported = "FALSE"
replay.filename = ""
ide0:0.redo = ""
pciBridge0.pciSlotNumber = "17"
pciBridge4.pciSlotNumber = "21"
pciBridge5.pciSlotNumber = "22"
pciBridge6.pciSlotNumber = "23"
pciBridge7.pciSlotNumber = "24"
scsi0.pciSlotNumber = "16"
usb.pciSlotNumber = "32"
ethernet0.pciSlotNumber = "33"
sound.pciSlotNumber = "34"
ehci.pciSlotNumber = "35"
vmci0.pciSlotNumber = "36"
vmotion.checkpointFBSize = "16973824"
ethernet0.generatedAddressOffset = "0"
vmci0.id = "771566075"
tools.syncTime = "FALSE"
isolation.tools.hgfs.disable = "TRUE"
sharedFolder.maxNum = "1"
usb:0.present = "TRUE"
usb:1.present = "TRUE"
usb:1.deviceType = "hub"
usb:0.deviceType = "mouse"
checkpoint.vmState = ""
sharedFolder0.present = "FALSE""

Where...
  • ide0:0.fileName = The name of our VMWare image.
  • displayName = The name given to the virtual machine.
  • extendedConfigFile = The name that you want to give to the extended configuration file (Auto-generated).
  • nvram = The name that you want to give to the Virtual Machine's memory file. (Auto-generated).
  • ide1:0.fileName = The name of the .iso file of the loader of Empire EFI boot, downloaded beforehand.

It’s worth mentioning, that all the previous files need to be in the same directory.

Once this point is reached, start up the VMWare Player and open the previously created .vmx file. As the machine starts up, press the ESC key to select the boot unit and choose CD-ROM (If we press F2 we will enter the BIOS setup and could select this option permanently).

Finally, once the bootloader menu is loaded, select the "mac" option and now we can proceed with the online analysis of the system.

As a final note, our tests have been made with a Mac OS X 10.6.4 system image and it was necessary to use the Legacy version of Empire EFI for VMWare Player.




Santiago Vicente
S21sec e-crime

0 comentarios:


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login