I know it's been about 10 years since my last post. I didn't think it was that long until I saw the time stamp. I used to use liveview. Now, no need really. Just need a disk large enough for the VDI or VMDK.

In this episode of Just the Tip, we will use VirtualBox to convert a forensic raw dd copy using DCFLDD into a VMDK file that can be booted into either VirtualBox or VMWare. The VBOXManage syntax used in this example is:

VboxManage.exe convertfromraw IWC-Lab-17082017.dd IWC-Lab.vmdk --format vmdk

This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.

Here is the vid demo: youtu.be/NhZPixwlVFQ
_________________
Penetration Tester & Computer Forensics Analyst

Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec 

- infosecwriter

This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.

There is no actual *need* to convert the image (just for the record).

All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.

There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
sanbarrow.com/vmdk/disktypes.html
sanbarrow.com/vmdk/dis...lithicFlat

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42

And it is also instantaneous.

Another dedicated tool (compiled AutoIt script) is here (via Wayback Machine):
web.archive.org/web/20...php?t=1162

web.archive.org/web/20...riptor.zip

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

thanks for the info
_________________
Penetration Tester & Computer Forensics Analyst

Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec 

All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.

There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
sanbarrow.com/vmdk/disktypes.html
sanbarrow.com/vmdk/dis...lithicFlat

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42

Does this also work with VirtualBox? I know LiveView did the same thing for VMware, but you had to download the VMware developer toolkit for the drivers. It did not work for VBox
_________________
Penetration Tester & Computer Forensics Analyst

Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec 

- jaclaz

Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk:
reboot.pro/topic/8480-clonedisk/
labalec.fr/erwan/?page_id=42
jaclaz

This method does not seem to work with VirtualBox. It must be a VMWare only item.

"Could not get the storage format of the medium 'E:\IWC-Lab\IWC-Lab\test.vmdk' (VERR_NOT_SUPPORTED).


Result Code:
VBOX_E_IPRT_ERROR (0x80BB0005)
Component:
MediumWrap
Interface:
IMedium {4afe423b-43e0-e9d0-82e8-ceb307940dda}
Callee:
IVirtualBox {0169423f-46b4-cde9-91af-1e9d5b6cd945}
Callee RC:
VBOX_E_OBJECT_NOT_FOUND (0x80BB0001)
"
_________________
Penetration Tester & Computer Forensics Analyst

Creator of Cyber Secrets & Just the Tip: YouTube.com/IWCCyberSec 

- infosecwriter

This method does not seem to work with VirtualBox. It must be a VMWare only item.
"

Maybe something has changed in recent Virtualbox.

It is a bit of time I don't update, I have running an old 4.1 version and it accepts these files just fine.

I seem to remember some small quirks (like Virtualbox wanting some particular field in the descriptor file and ignoring some other ones), but cannot really recall the details.

Surely there is (was) an issue with accessing images when operating with a Virtualbox instance open and for some reasons Virtualbox scans the root of the folder where the virtual machine or however adds the "known" images to a sort of database and this can produce every kind of error about duplicates, inaccessible files and what not.

Anyway, make this test.

Use this (saved as Mytest10Mb.vmdk) in *any* directory outside the VM one:
Create in the same directory a file named "Mytest10Mb-flat.vmdk" (filled with 00) 10321920 bytes in size.

Start the VirtualBox and try adding the Mytest10Mb.vmdk under the IDE controller.

What happens?

Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

Did a few checks.

For some stupid reason the VirtualBox parser doesn't like the initial:

# produced by CloneDisk

(probably it wants the file to start with "# Disk DescriptorFile" and/or the programmer that wrote it didn't understand tat lines with # can be comment lines.

Then, for some reasons you have to add to the file:

ddb.uuid.image="00000000-0000-0000-0000-000000000001"

or *any* uuid.

Then it will mount OK.

As well, using the SanBarrow tool you need to add the:

ddb.uuid.image="00000000-0000-0000-0000-000000000001"

AND remove any space before the CR+LF (or just LF) at the end of each line.

It is very possible that different VirtualBox versions have a better (or worse) parser for .vmdk descriptor file, though.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -