How to convert a Windows SFS (Dynamic Disks) partition to regular partition for forensic analysis

Yes, the answer is 42! :-)

During analysis of a compromised Windows virtual machine, recently I’ve faced with a VmWare disk containing a SFS partition (id 42):

# **fdisk -l DISK1-flat.vmdk**
 Disk DISK1-flat.vmdk: 200 GiB, 214748364800 bytes, 419430400 sectors
 Units: sectors of 1 * 512 = 512 bytes
 Sector size (logical/physical): 512 bytes / 512 bytes
 I/O size (minimum/optimal): 512 bytes / 512 bytes
 Disklabel type: dos
 Disk identifier: 0x8b07948e
 Device              Boot Start       End   Sectors  Size Id Type
**DISK1-flat.vmdk1         63 419428351 419428289  200G 42 SFS**S

According with this document, the id 42 is related to a “Dinamic extended” partition:

42 Windows 2000 dynamic extended partition marker If a partition table entry of type 0x42 is present in the legacy partition table, then W2K ignores the legacy partition table and uses a proprietary partition table and a proprietary partitioning scheme (LDM or DDM). As the Microsoft KnowledgeBase writes: Pure dynamic disks (those not containing any hard-linked partitions) have only a single partition table entry (type 42) to define the entire disk. Dynamic disks store their volume configuration in a database located in a 1-MB private region at the end of each dynamic disk.

Tools that I usually use for analysis seems had problems with this kind of partition, including a simple ‘mount’ command. So, after some tries, I’ve discovered a simple solution: converting the “Dynamic Disks” partition into a regular partition.

In order to perform this process I’ve used TestDisk, a great tool by Christophe Grenier.

First, open VMDK disk with TestDisk:

# **testdisk DISK1-flat.vmdk**
Christophe GRENIER grenier@cgsecurity.org
 http://www.cgsecurity.org
 TestDisk is free software, and
 comes with ABSOLUTELY NO WARRANTY.
 Select a media (use Arrow keys, then press Enter):
   Disk DISK1-flat.vmdk - 214 GB / 200 GiB

   [Proceed ]  [  Quit  ]
 Note: Disk capacity must be correctly detected for a successful recovery.
 If a disk listed above has incorrect size, check HD jumper settings, BIOS
 detection, and install the latest OS patches and disk drivers.

Then, choose the correct partition table type…

TestDisk 7.0, Data Recovery Utility, April 2015
 Christophe GRENIER grenier@cgsecurity.org
 http://www.cgsecurity.org
 Disk DISK1-flat.vmdk - 214 GB / 200 GiB
 Please select the partition table type, press Enter when done.
**[Intel  ] Intel/PC partition**
    [EFI GPT] EFI GPT partition map (Mac i386, some x86_64…)
    [Humax  ] Humax partition table
    [Mac    ] Apple partition map
    [None   ] Non partitioned media
    [Sun    ] Sun Solaris partition
    [XBox   ] XBox partition
    [Return ] Return to disk selection

 Hint: Intel partition table type has been detected.
 Note: Do NOT select 'None' for media with only a single partition. It's very
 rare for a disk to be 'Non-partitioned'.

…and open the “Filesystem Utils”:

TestDisk 7.0, Data Recovery Utility, April 2015
 Christophe GRENIER grenier@cgsecurity.org
 http://www.cgsecurity.org
 Disk DISK1-flat.vmdk - 214 GB / 200 GiB
      CHS 26109 255 63 - sector size=512
 [ Analyse  ] Analyse current partition structure and search for lost partitions
**[ Advanced ] Filesystem Utils**
    [ Geometry ] Change disk geometry
    [ Options  ] Modify options
    [ MBR Code ] Write TestDisk MBR code to first sector
    [ Delete   ] Delete all data in the partition table
    [ Quit     ] Return to disk selection

 Note: Correct disk geometry is required for a successful recovery. 'Analyse'
 process may give some warnings if it thinks the logical geometry is mismatched.

Finally, select ‘Image Creation’, choose a directory to save the .DD dump of the partition…

TestDisk 7.0, Data Recovery Utility, April 2015
 Christophe GRENIER grenier@cgsecurity.org
 http://www.cgsecurity.org
 Disk DISK1-flat.vmdk - 214 GB / 200 GiB - CHS 26109 255 63
`Partition                  Start        End    Size in sectors`
   1 P W2K Dynamic/SFS          0   1  1 26108  52 56  419428289

 [  Type  ] **>[Image Creation]**  [  Quit  ]
                                 Create an image

…and start the process:

TestDisk 7.0, Data Recovery Utility, April 2015
 Christophe GRENIER grenier@cgsecurity.org
 http://www.cgsecurity.org
 Disk DISK1-flat.vmdk.raw - 214 GB / 200 GiB
  1 P W2K Dynamic/SFS          0   1  1 26108  52 56  419428289
 12,87 % ========>

 Disk images are mainly used
 for forensics purpose
 or to deal with media with bad sectors
 To use TestDisk or PhotoRec with this disk image, start a Terminal and run
    testdisk image.dd
 or photorec image.dd

That’s all folks!

---

References

• Partition types: List of partition identifiers for PCs
• CGSecurity - Data recovery: TestDisk & PhotoRec