Extract filesystem bodyfile from a VirtualBox VM
Using vboxmanage and some tools from SleuthKit
A key step in a forensic analysis is the creation of a timeline of the filesystem operations.
The operation can be performed using (for example) the fls tool from Sleuthkit, that exports the timeline in the bodyfile format:
Body file is a timeline format introduced by the SleuthKit.
Version 2 (used by SleuhtKit 2):
MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks
Version 3 (used by SleuhtKit 3 and later):
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
The times are reported in a POSIX (or UNIX) timestamp.
When this operation need to be performed against a virtualbox guest, some additional steps are required.
My own procedure consist of a conversion of VM disk into RAW format, the identifcation of the correct offset of the system partition and the creation of the bodyfile.
Let’s start to see this steps:
1. Clone the VBox disk into a RAW disk image
Using the vboxmanage command:
vboxmanage clonemedium <VMDISK> ./disk.raw --format=raw2. Get the correct offset for system partition
Using mmls, part of SleuthKit:
# mmls disk.rawDOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000062 0000000063 Unallocated
002: 000:000 0000000063 0020948759 0020948697 NTFS / exFAT (0x07)
003: ------- 0020948760 0020971519 0000022760 Unallocated3. Create bodyfile
Specifying correct offset (0000000063) of partition to fsl (another tool from SleuthKit):
fls -o 63 -r -m /$1.raw > disk.bodyfile
Is it scriptable?
Yes, with a quick-and-dirty bash trick to identify the largest partition on the disk:
[embed]https://gist.github.com/andreafortuna/69a075440037db9d0dcbb4c6f751d378[/embed]
References
[embed]https://www.virtualbox.org/manual/ch08.html[/embed]