Analyzing Virtual Machine Image throws Cannot determine file system type (Sector offset: 0) error.

[JSchimmelpfennig]

Hi guys!

I'm trying to analyze a virtual machine. It is in .vdi format, I can boot it but I want to do a forensic analysis with Autopsy 4.21.0 on Windows 11.

When I mount the image on Linux, I can access it:

sudo guestmount -a image.vdi -i --ro /mnt/vdimount

sudo ls -liha /mnt/vdimount
total 984M
    1 drwxr-xr-x 19 root root 4.0K Aug 25  2023 .
24578 drwxr-xr-x 11 root root 4.0K Apr 13 19:24 ..
   20 lrwxrwxrwx  1 root root    7 Aug  9  2023 bin -> usr/bin
   24 drwxr-xr-x  4 root root 4.0K Aug 25  2023 boot
   13 drwxr-xr-x  4 root root 4.0K Aug  9  2023 dev
    7 drwxr-xr-x 78 root root 4.0K Aug 25  2023 etc
   10 drwxr-xr-x  3 root root 4.0K Aug 25  2023 home
    2 lrwxrwxrwx  1 root root    7 Aug  9  2023 lib -> usr/lib
   14 lrwxrwxrwx  1 root root    9 Aug  9  2023 lib32 -> usr/lib32
   23 lrwxrwxrwx  1 root root    9 Aug  9  2023 lib64 -> usr/lib64
   11 lrwxrwxrwx  1 root root   10 Aug  9  2023 libx32 -> usr/libx32
   18 drwx------  2 root root  16K Aug 25  2023 lost+found
   22 drwxr-xr-x  2 root root 4.0K Aug  9  2023 media
   21 drwxr-xr-x  2 root root 4.0K Aug  9  2023 mnt
   25 drwxr-xr-x  2 root root 4.0K Aug  9  2023 opt
   17 drwxr-xr-x  2 root root 4.0K Apr 18  2022 proc
    8 drwx------  5 root root 4.0K Aug 25  2023 root
    9 drwxr-xr-x  9 root root 4.0K Aug  9  2023 run
    6 lrwxrwxrwx  1 root root    8 Aug  9  2023 sbin -> usr/sbin
   16 drwxr-xr-x  2 root root 4.0K Aug 25  2023 snap
   12 drwxr-xr-x  2 root root 4.0K Aug  9  2023 srv
    3 -rw-------  1 root root 983M Aug 25  2023 swap.img
   19 drwxr-xr-x  2 root root 4.0K Apr 18  2022 sys
    4 drwxrwxrwt 12 root root 4.0K Aug 25  2023 tmp
   15 drwxr-xr-x 14 root root 4.0K Aug  9  2023 usr
    5 drwxr-xr-x 14 root root 4.0K Aug 25  2023 var

I read, that Autopsy can't deal with .vdi files:
https://andreafortuna.org/2016/09/08/open-a-vmware-disk-image-vmdk-with-autopsy-for-forensics-analisys/

So I converted it and I tried .vmdk and .raw:

qemu-img convert -f vdi -O vmdk image.vdi image.vmdk
qemu-img convert -f vdi -O raw image.vdi image.raw

When I add the .vmdk file, I always recieve "Errors occurred while ingesting image 1. Cannot determine file system type (Sector offset: 0)".

I used the Windows 4.21.0 binary, so I think the solution mentioned here "If I had to guess, your sleuthkit was not compiled with libewf, so it can't correctly process the E01." doesn't work: #5198

The .raw file throws the following errors:
Errors occurred while ingesting image

1. Cannot determine file system type (Sector offset: 2048, Partition Type: )
2. Cannot determine file system type (Sector offset: 3674112, Partition Type: )

I can identify vol5 as boot partition.

But vol6 (which is obviously the root file sytem) can't be accessed.

As I'm only interested in the biggest partition (which should be then the root partition), I used the option "Extract Unallocated Space to Single File" for vol6 which created "image.raw-Unalloc-6-514.dat".

When I import as new data source, I again get:
Errors occurred while ingesting image

1. Cannot determine file system type (Sector offset: 0)

---

Reading also this Pull Request, I used the ingest module "virtual machine extractor", without success:
#1827

Errors occurred while ingesting image

1. Cannot determine file system type (Sector offset: 0)

---

I also "unzipped" the .vdi file and receive 0.img, 1.img, 2.img. Importing 2.img (the largest one with 6GB) in Autopsy also gives

Errors occurred while ingesting image

1. Cannot determine file system type (Sector offset: 0)

But importing 1.img works and is again the boot partition:

---

What do I need to do to analyze the Virtual Machine Image with Autopsy?

Thank you :)

[markmckinnon]

If the original file is a vdi file is there a reason. You did not use virtual box to convert the file instead of qemu? If you are using g the Windows version of Autopsy then it has Ewf support automatically built in. My guess would be that the Protected MBR and GPT are messed up somehow from the conversion. Looking at the first 2048 bytes of the raw image could tell you that. When you converted to the. Musk did you convert it as a growable vmdk or a full size vmdk?

[JSchimmelpfennig]

Hi and thanks for your answer. Your answer has some grammar and syntactical errors which makes it hard for me to understand what additional information you want me to provide :)

I used the qemu commands I provided in the initial post to convert the .vdi image to convert it to vmdk and raw.

This is the .vdi file:

I now also exported the .vdi file to a VHD with pre-allocated size

but I still get the same error in Autopsy.

[markmckinnon]

Can you provide a sample disk that has this issue so I can take a look at it?

[JSchimmelpfennig]

I guess I found the problem here. I opened the image with FTK Analyzer and could see the content of the partition that was shown as unallocated / unknown in Autopsy. I guess it was a Linux LVM partition.

Then I exported the partition as disk image

and I could successfully import that to Autopsy.

After some more research, I guess this issue describes the same problem: #7888