Resize Disk in for VM images (Kali Linux as a Guest OS)

1. In VMware settings, change the disk size

2. Boot the VM image with the installation Disk ISO. You can choose the startup device in the VMware settings. 

3. Open the GParted application. 

4. Since the added space is at the end, you need to delete the swap Linux patitaion first, then you can expand your /dev/sda1. 

Details see: http://askubuntu.com/questions/51272/how-do-i-repartition-with-gparted

1. In the machine's settings point the CD Drive to the .iso file with your Ubuntu LiveCD. You may also need to make sure the "Connect at power on" check box is checked.
2. Power the virtual machine on and hit F2 with the focus inside the machine.
3. Once inside the BIOS move to the Boot tab and select CD-Rom as primary boot device.
4. Run gParted - I think it's always there.
5. Destroy the swap partition: swapoff, delete the extended and linux-swap partitions.
6. Resize your primary partition to desired size.
7. Allocate your swap back again to whatever you like - create an extended partition and then allocate as linux swap. Remember about swapon :)

And that's it. You now have a big primary partition!

In my case you'd need to have Jedi reflexes to get into BIOS by pressing F2 on the splash screen - the boot delay is just too short. What you can do to slow it down is go to your vm's .vmx file and type in something reasonable like:

Other useful link: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1020778

How to Extract the disk image from the USB thumb drive

$ mount
you should see the USB thumb drive mounted
/dev/disk3s1 on /Volumes/JIANG-USB

Before you extract the USB disk image, you should unmount the disk. Otherwise, it give you device busy message.
$ sudo umount /dev/disk3s1
For mac:
$ sudo diskutil unmount /dev/disk3s1

Then you could use dd to extract the USB disk image:
$ dd if=/dev/disk3s1 of=~/USB_Image.raw

How to compare two disk RAW images

use tool Autopsy!
here is the couse website:
http://www.cs.gmu.edu/~astavrou/ISA785_F11.html
In week 2, CERT Forensic Tools is an wmare image which has Autopsy inside of the VM.
Analysis of disk images by using Autopsy

convert vmware VMDK disks to RAW format that is used as an input to the forensics programs (including Autopsy).

How to convert vmware VMDK diks to RAW format(used us an input tor forensics including Autopsy)

1) Install QEMU, a program that can covert vmware VMDK disks to RAW format that

is used as an input to the forensics programs (including Autopsy). 

The command for that is: 

$ yum install qemu (remember to enable networking on the CERT virtual machine if it is no on).

2) Execute $ qemu-img convert -O raw linux.vmdk raw-linux.bin 

(from the shared folders directory "linux.vmdk" is the infected VM Disk)

mount LVM partition from other disk

 Supposed you installed Ubuntu or Cent OS on your machine, you want to mount another LVM paritition disk.
Following is the detailed steps:

2. Boot using the live cd. Search for these tools: lvm2. If the cd do not have it, install it. (Cent OS already installed, Ubuntu maybe not)
# apt-get install lvm2

3. To make sure the harddisk is recognised, you can use fdisk
# fdisk -lu

4. Once installed, run pvscan to scan all disks for physical volume. this to make sure your LVM harddisk is detected by Ubuntu
# pvscan
PV /dev/sda2 VG VolGroup00 lvm2 [74.41 GB / 32.00 MB free]
Total: 1 [74.41 GB] / in use: 1 [74.41 GB] / in no VG: 0 [0 ]

5. After that run vgscan to scan disks for volume groups.
# vgscan
Reading all physical volumes. This may take a while...
Found volume group "VolGroup00" using metadata type lvm2

6. Activate all volume groups available.
# vgchange -a y
2 logical volume(s) in volume group "VolGroup00" now active

7. Run lvscan to scan all disks for logical volume. You can see partitions inside the hard disk now active.
# lvscan
ACTIVE '/dev/VolGroup00/LogVol00' [72.44 GB] inherit
ACTIVE '/dev/VolGroup00/LogVol01' [1.94 GB] inherit

8. Mount the partition to any directory you want, usually to /mnt
# mount /dev/VolGroup00/LogVol00 /mnt

more info:
http://linuxwave.blogspot.com/2007/11/mounting-lvm-disk-using-ubuntu-livecd.html

AUFS HOWTO

Also see aufs+ramdisk setup at: another article

For AUFS2: 
http://aufs.sourceforge.net/

For AUFS1:
http://aufs.sourceforge.net/README.aufs1

Download aufs, configure and compile it. Then install the module.

Usage example:

$ mkdir /tmp/rw /tmp/aufs

$ mount -t aufs -o dirs=/tmp/rw:${HOME}=ro none /tmp/aufs

Or 

$ mount -t aufs -o br:/tmp/rw:${HOME}=ro none /tmp/aufs

/tmp/aufs = $HOME + /tmp/rw

if you touch a file in /tmp/aufs, this file will be show up in /tmp/rw, not in $HOME, because $HOME is read only

AUFS1 + ramdisk setup

OS environment: Cent OS 5.5

1. compile and install linux kernel 2.6.18

$ wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.18.tar.bz2
$ make menuconfig /*remember to install ncurses-devel*/
$ make -j4
$ make modules_install
$ make install
Add new kernel to menulist and reboot

2. set the menu.list to initialize about 500MB ramdisk ( add ramdisk_size=500000 )

kernel /vmlinuz-2.6.18 ro root=LABEL=/ hdc=ide-scsi ramdisk_size=500000

3. format this ramdisk and mount ramdisk to mountpoint /ramdisk

$ mke2fs -m 0 /dev/ram0   
$ mkdir /ramdisk
$ mount /dev/ram0 /ramdisk

4. compile and install aufs1 module. more info: http://aufs.sourceforge.net/README.aufs1

$ cd /your/linux/kernel/source (/lib/module/2.6.18/source/)
$ make menuconfig
$ make include/linux/version.h include/linux/utsrelease.h

$ cd aufs.wcvs/aufs
$ rm fs/aufs/Kconfig
$ make -f local.mk kconfig

$ make -f local.mk /* compile aufs module */

$ install -m 500 -p mount.aufs umount.aufs auplink aulchown auchk /sbin (recommended)
$ install -m 644 -p etc_default_aufs /etc/default/aufs (recommended)
$ echo FLUSH=ALL > /etc/default/auplink (recommended)
$ insmod ./aufs.ko /* install aufs module, you need to do this everytime after reboot */

5. mount /home /root /tmp ... directory to ramdisk

$ mkdir /ramdisk/home
$ mount -t aufs -o dirs=/ramdisk/home:/home=ro none /home /* home directory is read only, all the files written to home folder will be written into /ramdisk/home */

create RAMDISK HOWTO

OS: Cent OS 5.5
1. set up the size you want to create

$vim /boot/grub/menu.lst

set the ramdisk size as 128 MB
Add ramdisk_size = 128000 to kernel line

kernel /vmlinuz-2.4.20-20.9 ro root=LABEL=/ hdc=ide-scsi ramdisk_size=128000

$reboot

2. Format the ramdisk

$ mke2fs -m 0 /dev/ram0

3. Create a mount point to mount the ramdisk

$ mkdir /mnt/ramdisk

$ mount /dev/ram0 mnt/ramdisk

More detailed: http://www.vanemery.com/Linux/Ramdisk/ramdisk.html

Disk parition and mount

show all the partitions on hard disk
sudo fdisk -l


Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000db6bb

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       18249   146585061   83  Linux
/dev/sda2           18250       36485   146480670   83  Linux
/dev/sda3           36486       54721   146480670   83  Linux
/dev/sda4           54722       60802    48839073    5  Extended
/dev/sda5           54722       55207     3903763+  82  Linux swap / Solaris
/dev/sda6           55208       60802    44935168   83  Linux

This is an example

For this hard disk. I only installed Debian on sda1. installed Ubuntu on sda6.
sda5 is the swap patition. I setted as logically.

I also partitioned sda2 and sda3. I set ext3 journaling format.
my previous blog has more detailed installation information.
I don't understand why sda4 came out. 

sda1 installed Debian
You could check OS version.

$ cd /mnt
$ sudo mkdir sda1
$ sudo mount /dev/sda1 sda1
$ cd sda1
$ cat /etc/lsb-release or /etc/redhat-release
e

Moving hard drive from one computer to another

Tested:
move windows 2008 server, no problem
move centOS 5.5. kernel panic
move openSuse. cannot find drive.

 Or more detailed discussion:
https://bbs.archlinux.org/viewtopic.php?id=108472