Hi All,
I am trying to put together some procedures for examining virtual machines found on an acquired hard drive. I am curious as to experiences in this realm. I want to include all types of VMs and am looking for tools that can convert a VM file to a dd file. Any help would be appreciated.
FTK Imager will open .vmdk files and let you "acquire" them to dd
http//
I agree the .vmdk file is where all of that good information is. I did experience some trouble in using FTK to analyze the virtual machine. EnCase was much more beneficial in this aspect. If you would like I have produced a report on virtual machine analysis.
I for one would love to see your report on VM analysis.
I will get that over to you as soon as possibly
FTK imager is by far and away the easiest way to "acquire" a .vmdk to a dd image. FTK itself can parse .vmdk but I prefer to convert to dd for simplification. This is the method I use when I create class materials for trainings.
qemu-img can convert to dd as well.
pronie2121,
I would like to see your report as well. I will also be working on other VMs such as those created by Virtual PC, and Parallels.
Hogfly,
Thanks for the tip on qemu-img. We have been using VirtualBox quite a bit, so I will look at this as well.
keydet89,
Thanks for the link to some great information. I will have to revisit FTK Imager. (I thought we looked at it.)
dbarrett,
If you haven't seen it yet I had a blog entry on virtualbox. The comments include a tip on working with dynamic images as well.
http//
Also you can mount the .vmdk file with VDK and use dsfo/dsfi or dd for windows to dd the \\.\Physicaldriven to a RAW image.
jaclaz
I've found that FTK Imager sometimes has trouble in mounting snapshots. Also, if you want to mount a Vista image, I suggest VDK or the vm-ware mount utility available in the developers kit, http//