Virtualization

Using disk images with VMware

Last week, I described taking flat disk images of machines

using dd and netcat (via a LiveCD). It’s all very well having an image; your

data is backed up safely, but how do you recover it? One obvious way of

recovering data is to write the image back to the original system, but this

would only be realistic if rolling back. If you simply wanted to recover a file

or take a database dump, then that would be overkill. A spare server with the

same basic hardware (SCSI and CPU types) could be used for recovery; however,

the luxury of redundant hardware is not always an option in smaller remote

sites.

There is another option: the system image can be used as a

VMware disk—the system can be booted up for data recovery of files or be brought

back permanently as a virtual server. The version of VMware used would depend

wholly on your situation and intentions. A travelling sys admin may well want

to boot the system on his laptop once to take a database dump, then never use

the system again. In this case, VMware Workstation would probably be the best

option as it runs well on a desktop machine with the least amount of resources

taken up by overheads. On the other hand, if you were in an office and wanted

to work on the archived system image for greater amounts of time (perhaps some

forensic examination or to extend the transition period to new systems), then

VMware Server may be a good way to go—this one is free too. Either version can

be used; the disk images adhere to the same standards.

Before we start with VMware, we need to collect some basic

information on our disk image—the physical disk's number of cylinders, heads,

and sectors as well as the image size in sectors. There are various ways of

finding this information—one is to look for data on the original hardware. This

isn’t always as easy as it sounds. Another is to use WinHex (Specialist or

Forensic versions). Open the system image with WinHex selecting ‘Raw Image or

Evidence File’ as the file type. Once the image file is open, go to the

Specialist menu and run off a ‘Technical Details Report’:

[C:\Documents and Settings\justinf\My Documents\My Virtual Machines\W2k3\ibmsda-dd.img]

Total capacity: 18,200,739,840 bytes = 17.0 GB

Number of cylinders: 2,212

Number of heads: 255

Sectors per track: 63

Bytes per sector: 512

Sector count: 35,548,320

Surplus sectors at end: 12,540

Partition 1

Sectors 63 - 35,519,714

Partition table: Sector 0

File system: NTFS

Total capacity: 18,186,061,824 bytes = 16.9 GB

Sector count: 35,519,652

Bytes per sector: 512

Bytes per cluster: 4,096

Free clusters: 2,645,133 = 60% free

Total clusters: 4,439,956

Unused inter-partition space:

Sectors 1 - 62 (31.0 KB)

Sectors 35,519,715 - 35,548,319 (14.0 MB)

= 14.0 MB

The numbers in bold are the ones we’re interested in.

With the required information, we can go ahead and create a

new virtual machine. Exact details of the virtual machine will vary depending

on the type of system represented in our disk image. The main choice is SCSI or

IDE (different disk geometry will make booting a SCSI image with an IDE

controller very difficult!)—there are also two types of SCSI, BusLogic or LSI

Logic. To create the new VMware virtual machine, select Custom from the

configuration menu—the VM format should be the newest available (‘New –

Workstation 5’ at the moment). For guest operating system, select Other,

followed by Other. Name the VM as required, select the number of processors,

allocate RAM, and select a network connection type. If we wanted to bring a

system back on to the network, then bridged networking would be the best option

(not forgetting about possible IP clashes). If we simply wanted to pull data

off to the host machine, then host-only networking would be fine.

The next option is that of SCSI adaptor choice, BusLogic or

LSI Logic. Select the appropriate option and continue, electing to create a new

virtual disk. Disk type depends on the system being resurrected; in this case,

I’m using an LSI Logic SCSI disk. The disk size can be small as we will just

delete the VMware disk image later—0.1GB is fine, and make sure to select the Allocate

All Disk Space Now option. Do not split the disk in to 2 GB files. Finish the

wizard and copy your dd image file into the virtual machines root directory.

My image is of a Windows 2003 Server, so I’ve called the VM

‘w2k3’. In the folder ‘My Documents/My Virtual Machines/w2k3’ I have files

called ‘w2k3.vmdk’, ‘w2k3.vmsd’, ‘w2k3.vmx’, ‘w2k3.vmx.lck’ and

‘w2k3-flat.vmdk’. The file w2k3-flat.vmdk is the VMware flat file disk image;

we can delete this. The file we want to edit is ‘w2k3.vmdk’. This file is the

disk descriptor file and in order to boot our dd image, we must populate this

file with the data of our image (collected earlier). Here are the contents of

the default file with the parts we need to change in red:

# Disk DescriptorFile

version=1

CID=c4f57009

parentCID=ffffffff

createType="monolithicFlat"

# Extent description

RW 209715 FLAT "w2k3-flat.vmdk" 0

# The Disk Data Base

#DDB

ddb.virtualHWVersion = "4"

ddb.geometry.cylinders = "102"

ddb.geometry.heads = "64"

ddb.geometry.sectors = "32"

ddb.adapterType = "lsilogic"

We need to enter the disk size in sectors, image filename (in this case it’s image.dd), cylinders, heads, and sectors:

# Disk DescriptorFile

version=1

CID=c4f57009

parentCID=ffffffff

createType="monolithicFlat"

# Extent description

RW 35548320 FLAT "image.dd" 0

# The Disk Data Base

#DDB

ddb.virtualHWVersion = "4"

ddb.geometry.cylinders = "2212"

ddb.geometry.heads = "255"

ddb.geometry.sectors = "63"

ddb.adapterType = "lsilogic"

All that’s left to do is start the VM with fingers crossed. If

a mistake has been made in filling in the vmdk file, then it’s most likely that

the information you entered is wrong—check and double check it. If the machine

starts to boot but then sits on a black screen, it’s likely that the adapter

type is wrong (try buslogic or ide). Due to the hardware changes, some systems

will need to be repaired so that the new hardware drivers are enabled and old

ones no longer loaded. With this particular Windows Server image, I found that

it booted as far as the ‘Preparing network connections’ indication and then

crashed—no need to panic, though. After booting into safe mode once the system

ran perfectly; here’s the evidence:

http://cn.cbsimg.net/cnwk.1d/i/tr/NL_images/Fielding0912.jpg

I hope people have found this useful—I have now used this on several

occasions. The possibility of using a dd created disk image to recover and reactivate

old systems is great and adds yet another tool to the sys admin's kit!

Editor's Picks

Free Newsletters, In your Inbox