qubes 3.2 windows 10 as "template vm" does not boot anymore. How to do forensics on the image

[ludwig jaffe]

Hi, I run qubes 3.2 on a dell desktop (core4duo gen xeon),
and it was happpy with running windows10 as a guest without any
special windows-tools for qubes.
Then one day, I did not change anything besides updating qubes 3.2 when
there were updates, the windows10 guest does not start anymore.

As there are production data on the windows10 I want to know how to do
forensics here and recover the data.
There are no mountable file images. What to do?
I installed win10 as a "template vm" as I was not sure what to take,
but then ended up using 3 "templates" seperately. I do not think that
templates in windows10 are made like linux templates that share somehow a
file system.

Any ideas?
-boot?
-forensics (at least)?

Cheers Ludwig

[ludwig jaffe]

core2quad gen xeon. :-)

[yaqu]

On Mon, 28 Nov 2016 12:48:10 -0800 (PST), ludwig jaffe
<ludwig...@gmail.com> wrote:

> As there are production data on the windows10 I want to know how to do
> forensics here and recover the data.
> There are no mountable file images. What to do?

[...]

> Any ideas?
> -boot?
> -forensics (at least)?

Are you sure the are no mountable images? You should be able to attach
images to other VM, something like this (in dom0):

$ qvm-block -A work -f xvdi dom0:/var/lib/qubes/appvms/win7/root.img
$ qvm-block -A work -f xvdj dom0:/var/lib/qubes/appvms/win7/private.img

And then in VM (here: in a fedora-based appvm):

$ sudo fdisk -l /dev/xvdi
$ sudo fdisk -l /dev/xvdj
$ sudo mount /dev/xvdi1 /mnt/disk1
$ sudo mount /dev/xvdi2 /mnt/disk2
$ sudo mount /dev/xvdj1 /mnt/disk3

That should give you access to your files.

--
yaqu