How to convert a Windows SFS (Dynamic Disks) partition to regular partition for forensic analysis

Yes, the answer is 42! 🙂

During analysis of a compromised Windows virtual machine, recently I’ve faced with a VmWare disk containing a SFS partition (id 42):

# fdisk -l DISK1-flat.vmdk
Disk DISK1-flat.vmdk: 200 GiB, 214748364800 bytes, 419430400 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x8b07948e
Device Boot Start End Sectors Size Id Type
DISK1-flat.vmdk1 63 419428351 419428289 200G 42 SFS

According with this document, the id 42 is related to a “Dinamic extended” partition:

42 Windows 2000 dynamic extended partition marker
If a partition table entry of type 0x42 is present in the legacy partition table, then W2K ignores the legacy partition table and uses a proprietary partition table and a proprietary partitioning scheme (LDM or DDM). As the Microsoft KnowledgeBase writes: Pure dynamic disks (those not containing any hard-linked partitions) have only a single partition table entry (type 42) to define the entire disk. Dynamic disks store their volume configuration in a database located in a 1-MB private region at the end of each dynamic disk.

Tools that I usually use for analysis seems had problems with this kind of partition, including a simple ‘mount’ command.
So, after some tries, I’ve discovered a simple solution: converting the “Dynamic Disks” partition into a regular partition.

In order to perform this process I’ve used TestDisk, a great tool by Christophe Grenier.

First, open VMDK disk with TestDisk:

# testdisk DISK1-flat.vmdk 
Christophe GRENIER grenier@cgsecurity.org
http://www.cgsecurity.org
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
Disk DISK1-flat.vmdk - 214 GB / 200 GiB




[Proceed ] [ Quit ]
Note: Disk capacity must be correctly detected for a successful recovery.
If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.

Then, choose the correct partition table type…

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER grenier@cgsecurity.org
http://www.cgsecurity.org
Disk DISK1-flat.vmdk - 214 GB / 200 GiB
Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
[EFI GPT] EFI GPT partition map (Mac i386, some x86_64…)
[Humax ] Humax partition table
[Mac ] Apple partition map
[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection



Hint: Intel partition table type has been detected.
Note: Do NOT select 'None' for media with only a single partition. It's very
rare for a disk to be 'Non-partitioned'.

…and open the “Filesystem Utils”:

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER grenier@cgsecurity.org
http://www.cgsecurity.org
Disk DISK1-flat.vmdk - 214 GB / 200 GiB
CHS 26109 255 63 - sector size=512
[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ MBR Code ] Write TestDisk MBR code to first sector
[ Delete ] Delete all data in the partition table
[ Quit ] Return to disk selection



Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.

Finally, select ‘Image Creation’, choose a directory to save the .DD dump of the partition…

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER grenier@cgsecurity.org
http://www.cgsecurity.org
Disk DISK1-flat.vmdk - 214 GB / 200 GiB - CHS 26109 255 63
Partition Start End Size in sectors
1 P W2K Dynamic/SFS 0 1 1 26108 52 56 419428289









[ Type ] >[Image Creation] [ Quit ]
Create an image

…and start the process:

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER grenier@cgsecurity.org
http://www.cgsecurity.org
Disk DISK1-flat.vmdk.raw - 214 GB / 200 GiB
1 P W2K Dynamic/SFS 0 1 1 26108 52 56 419428289
12,87 % ========>



Disk images are mainly used
for forensics purpose
or to deal with media with bad sectors
To use TestDisk or PhotoRec with this disk image, start a Terminal and run
testdisk image.dd
or photorec image.dd

That’s all folks!


References


Related posts

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.