±Forensic Focus Partners
±Your Account

![]() |
![]() |
![]() |
![]() |
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
There is no actual *need* to convert the image (just for the record).
All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.
There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
sanbarrow.com/vmdk/disktypes.html
sanbarrow.com/vmdk/dis...lithicFlat
Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42
And it is also instantaneous.
Another dedicated tool (compiled AutoIt script) is here (via Wayback Machine):
web.archive.org/web/20...php?t=1162
web.archive.org/web/20...riptor.zip
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Does this also work with VirtualBox? I know LiveView did the same thing for VMware, but you had to download the VMware developer toolkit for the drivers. It did not work for VBox
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
This method does not seem to work with VirtualBox. It must be a VMWare only item.
"Could not get the storage format of the medium 'E:\IWC-Lab\IWC-Lab\test.vmdk' (VERR_NOT_SUPPORTED).
Result Code:
VBOX_E_IPRT_ERROR (0x80BB0005)
Component:
MediumWrap
Interface:
IMedium {4afe423b-43e0-e9d0-82e8-ceb307940dda}
Callee:
IVirtualBox {0169423f-46b4-cde9-91af-1e9d5b6cd945}
Callee RC:
VBOX_E_OBJECT_NOT_FOUND (0x80BB0001)
"
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
Maybe something has changed in recent Virtualbox.
It is a bit of time I don't update, I have running an old 4.1 version and it accepts these files just fine.
I seem to remember some small quirks (like Virtualbox wanting some particular field in the descriptor file and ignoring some other ones), but cannot really recall the details.
Surely there is (was) an issue with accessing images when operating with a Virtualbox instance open and for some reasons Virtualbox scans the root of the folder where the virtual machine or however adds the "known" images to a sort of database and this can produce every kind of error about duplicates, inaccessible files and what not.
Anyway, make this test.
Use this (saved as Mytest10Mb.vmdk) in *any* directory outside the VM one:
Create in the same directory a file named "Mytest10Mb-flat.vmdk" (filled with 00) 10321920 bytes in size.
Start the VirtualBox and try adding the Mytest10Mb.vmdk under the IDE controller.
What happens?
Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Boot a DD into a Virtual Machine with VirtualBox
Page 1, 2 Next-
infosecwriter - Member
Boot a DD into a Virtual Machine with VirtualBox
I know it's been about 10 years since my last post. I didn't think it was that long until I saw the time stamp. I used to use liveview. Now, no need really. Just need a disk large enough for the VDI or VMDK.
In this episode of Just the Tip, we will use VirtualBox to convert a forensic raw dd copy using DCFLDD into a VMDK file that can be booted into either VirtualBox or VMWare. The VBOXManage syntax used in this example is:
VboxManage.exe convertfromraw IWC-Lab-17082017.dd IWC-Lab.vmdk --format vmdk
This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.
Here is the vid demo: youtu.be/NhZPixwlVFQ
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
In this episode of Just the Tip, we will use VirtualBox to convert a forensic raw dd copy using DCFLDD into a VMDK file that can be booted into either VirtualBox or VMWare. The VBOXManage syntax used in this example is:
VboxManage.exe convertfromraw IWC-Lab-17082017.dd IWC-Lab.vmdk --format vmdk
This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.
Here is the vid demo: youtu.be/NhZPixwlVFQ
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
-
jaclaz - Senior Member
Re: Boot a DD into a Virtual Machine with VirtualBox
- infosecwriter
This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.
There is no actual *need* to convert the image (just for the record).
All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.
There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
sanbarrow.com/vmdk/disktypes.html
sanbarrow.com/vmdk/dis...lithicFlat
Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42
And it is also instantaneous.
Another dedicated tool (compiled AutoIt script) is here (via Wayback Machine):
web.archive.org/web/20...php?t=1162
web.archive.org/web/20...riptor.zip
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
infosecwriter - Member
Re: Boot a DD into a Virtual Machine with VirtualBox
thanks for the info
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
-
infosecwriter - Member
Re: Boot a DD into a Virtual Machine with VirtualBox
All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.
There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
sanbarrow.com/vmdk/disktypes.html
sanbarrow.com/vmdk/dis...lithicFlat
Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42
Does this also work with VirtualBox? I know LiveView did the same thing for VMware, but you had to download the VMware developer toolkit for the drivers. It did not work for VBox
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
-
infosecwriter - Member
Re: Boot a DD into a Virtual Machine with VirtualBox
- jaclazCreating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42
jaclaz
This method does not seem to work with VirtualBox. It must be a VMWare only item.
"Could not get the storage format of the medium 'E:\IWC-Lab\IWC-Lab\test.vmdk' (VERR_NOT_SUPPORTED).
Result Code:
VBOX_E_IPRT_ERROR (0x80BB0005)
Component:
MediumWrap
Interface:
IMedium {4afe423b-43e0-e9d0-82e8-ceb307940dda}
Callee:
IVirtualBox {0169423f-46b4-cde9-91af-1e9d5b6cd945}
Callee RC:
VBOX_E_OBJECT_NOT_FOUND (0x80BB0001)
"
_________________
Penetration Tester & Computer Forensics Analyst
Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec
-
jaclaz - Senior Member
Re: Boot a DD into a Virtual Machine with VirtualBox
- infosecwriter
This method does not seem to work with VirtualBox. It must be a VMWare only item.
"
Maybe something has changed in recent Virtualbox.

It is a bit of time I don't update, I have running an old 4.1 version and it accepts these files just fine.
I seem to remember some small quirks (like Virtualbox wanting some particular field in the descriptor file and ignoring some other ones), but cannot really recall the details.
Surely there is (was) an issue with accessing images when operating with a Virtualbox instance open and for some reasons Virtualbox scans the root of the folder where the virtual machine or however adds the "known" images to a sort of database and this can produce every kind of error about duplicates, inaccessible files and what not.
Anyway, make this test.
Use this (saved as Mytest10Mb.vmdk) in *any* directory outside the VM one:
Code:
# Disk DescriptorFile version=1 CID=61968b17 parentCID=ffffffff createType="monolithicFlat" # Extent description RW 20160 FLAT "Mytest10Mb-flat.vmdk" 0 # The disk Data Base #DDB ddb.virtualHWVersion = "4" ddb.adapterType="ide" ddb.uuid.image="00000000-0000-0000-0000-000000000001" ddb.uuid.parent="00000000-0000-0000-0000-000000000000" ddb.uuid.modification="00000000-0000-0000-0000-000000000000" ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
Start the VirtualBox and try adding the Mytest10Mb.vmdk under the IDE controller.
What happens?
Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Boot a DD into a Virtual Machine with VirtualBox
Did a few checks.
For some stupid reason the VirtualBox parser doesn't like the initial:
(probably it wants the file to start with "# Disk DescriptorFile" and/or the programmer that wrote it didn't understand tat lines with # can be comment lines.
Then, for some reasons you have to add to the file:
or *any* uuid.
Then it will mount OK.
As well, using the SanBarrow tool you need to add the:
AND remove any space before the CR+LF (or just LF) at the end of each line.
It is very possible that different VirtualBox versions have a better (or worse) parser for .vmdk descriptor file, though.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
For some stupid reason the VirtualBox parser doesn't like the initial:
# produced by CloneDisk
(probably it wants the file to start with "# Disk DescriptorFile" and/or the programmer that wrote it didn't understand tat lines with # can be comment lines.
Then, for some reasons you have to add to the file:
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
or *any* uuid.
Then it will mount OK.
As well, using the SanBarrow tool you need to add the:
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
AND remove any space before the CR+LF (or just LF) at the end of each line.
It is very possible that different VirtualBox versions have a better (or worse) parser for .vmdk descriptor file, though.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -