±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35742
New Yesterday: 6 Visitors: 162

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Virtualizing Mac on Windows

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 

Can it be done?

4
57%

2
28%

1
14%

 
Total Votes: 7

  

LeGioN
Member
 

Virtualizing Mac on Windows

Post Posted: Feb 16, 18 14:46

I tried googling the forums (And the rest of the known internet) to see if anyone have had any success/experience with virtualizing images of Apple machines on Windows?

I imaged a old MacBook Air as part of an investigation using Tableau TD2u to E01-format.
From there I converted them to RAW using FTK Imager.

I then used the VboxManage-tool to convert the raw file to VDI and VMDK.

While booting it in VirtualBox it starts booting, but it hangs after the Kernel has panicked. I have told it to remain calm and breath but it does not seem to help.

Mac OS version:
Not yet set

Kernel version:
Darwin Kernel 10.0.0: Fri Jul 31 22:47:34 PDT 2009; root:xnu-1456.1.25~/RELEASE_1386
System model name: X10DAi (VirtualBox)

System uptime in nanoseconds: (A value that is never the same)


Virtualization has been enabled in boot and in VirtualBox.. And according to what I have googled so far the hardware should be able to run it.
I also tried to use VBoxManage to midyvm and setextradata to modify the virtual machine to run.

In VMWare I had to download a unlocker patch to be able to add the VMDK, and I have tried to restore the image to a HDD and add the partitions that way to the virtual machine. Though this only results in VMWare complaining that the image is not a OSX Server... No matter how much I shout at the screen that I have not told it that we are not looking for a server.


So.. If anyone has a fool-proof way to virtualize a Mac OS/OS X image in a windows environment using e01 evidence files I would love to hear it..

Your friendly neighborhood Digital Forensics-man
Stig  
 
  

jaclaz
Senior Member
 

Re: Virtualizing Mac on Windows

Post Posted: Feb 16, 18 16:07

I doubt it can be done in either Virtualbox or Vmware.

It can most probably be done in Qemu, though this:
www.contrib.andrew.cmu...lo/OSXKVM/
github.com/kholia/OSX-KVM

is for Linux based host, and it has to be seen if Qemu ports to Windows may be able to replicate.

And of course that is about a "brand new" install, I wouldn't expect any soon any P2V solution for that.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

calimelo
Senior Member
 

Re: Virtualizing Mac on Windows

Post Posted: Feb 16, 18 20:21

Forensic Explorer can do it. You can ask for a demo license from getdata.

Video
Examples
_________________
"Simplicity is the ultimate sophistication." 


Last edited by calimelo on Feb 17, 18 13:30; edited 1 time in total
 
  

minime2k9
Senior Member
 

Re: Virtualizing Mac on Windows

Post Posted: Feb 16, 18 20:27

Latest VFC also supports it.  
 
  

randomaccess
Senior Member
 

Re: Virtualizing Mac on Windows

Post Posted: Feb 17, 18 11:47

i havent tested it with fex
but ive had a lot of success just restoring a physical to a usb3 hard drive and then option-booted in my 2014 macbook pro
the only time ive had issues is when ive taken an image of the decrypted disk (so it's a good idea to image disk0, and then enter the fv2 password and image that as well)  
 
  

LeGioN
Member
 

Re: Virtualizing Mac on Windows

Post Posted: Feb 19, 18 15:37

Thank you all so much for you replies Smile
Got it working!
So it worked fine with an older macOS.. Though we are now trying with a High Sierra from a 4096K disk.. And that is proving to be an ass Smile  
 

Page 1 of 1