I know it's been about 10 years since my last post. I didn't think it was that long until I saw the time stamp. I used to use liveview. Now, no need really. Just need a disk large enough for the VDI or VMDK.
In this episode of Just the Tip, we will use VirtualBox to convert a forensic raw dd copy using DCFLDD into a VMDK file that can be booted into either VirtualBox or VMWare. The VBOXManage syntax used in this example is
VboxManage.exe convertfromraw IWC-Lab-17082017.dd IWC-Lab.vmdk –format vmdk
This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.
Here is the vid demo https://
This takes time. This process in the video took several hours for the image to convert. Do not update the system if this is for forensics unless you have to.
There is no actual *need* to convert the image (just for the record).
All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.
There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
http//
http//
Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//
http//
And it is also instantaneous.
Another dedicated tool (compiled AutoIt script) is here (via Wayback Machine)
https://
https://
jaclaz
thanks for the info
All is needed is to create a .vmdk descriptor file and (entirely optionally) rename the original DD Raw image.
There are n VMDK formats, among them there is one where there is a "main" file (which is a RAW image) and a .vmdk "descriptor" file.
http//sanbarrow.com/vmdk/disktypes.html
http//sanbarrow.com/vmdk/disktypes.html#monolithicFlat Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//reboot.pro/topic/8480-clonedisk/
http//labalec.fr/erwan/?page_id=42
Does this also work with VirtualBox? I know LiveView did the same thing for VMware, but you had to download the VMware developer toolkit for the drivers. It did not work for VBox
Creating such a descriptor file is easy, it can be done also manually, but there are tools that can do that, one among the many being Clonedisk
http//reboot.pro/topic/8480-clonedisk/
http//labalec.fr/erwan/?page_id=42
jaclaz
This method does not seem to work with VirtualBox. It must be a VMWare only item.
"Could not get the storage format of the medium 'E\IWC-Lab\IWC-Lab\test.vmdk' (VERR_NOT_SUPPORTED).
Result Code
VBOX_E_IPRT_ERROR (0x80BB0005)
Component
MediumWrap
Interface
IMedium {4afe423b-43e0-e9d0-82e8-ceb307940dda}
Callee
IVirtualBox {0169423f-46b4-cde9-91af-1e9d5b6cd945}
Callee RC
VBOX_E_OBJECT_NOT_FOUND (0x80BB0001)
"
This method does not seem to work with VirtualBox. It must be a VMWare only item.
"
Maybe something has changed in recent Virtualbox. 😯
It is a bit of time I don't update, I have running an old 4.1 version and it accepts these files just fine.
I seem to remember some small quirks (like Virtualbox wanting some particular field in the descriptor file and ignoring some other ones), but cannot really recall the details.
Surely there is (was) an issue with accessing images when operating with a Virtualbox instance open and for some reasons Virtualbox scans the root of the folder where the virtual machine or however adds the "known" images to a sort of database and this can produce every kind of error about duplicates, inaccessible files and what not.
Anyway, make this test.
Use this (saved as Mytest10Mb.vmdk) in *any* directory outside the VM one
# Disk DescriptorFile
version=1
CID=61968b17
parentCID=ffffffff
createType="monolithicFlat"
# Extent description
RW 20160 FLAT "Mytest10Mb-flat.vmdk" 0
# The disk Data Base
#DDB
ddb.virtualHWVersion = "4"
ddb.adapterType="ide"
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
ddb.uuid.parent="00000000-0000-0000-0000-000000000000"
ddb.uuid.modification="00000000-0000-0000-0000-000000000000"
ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
Create in the same directory a file named "Mytest10Mb-flat.vmdk" (filled with 00) 10321920 bytes in size.
Start the VirtualBox and try adding the Mytest10Mb.vmdk under the IDE controller.
What happens?
Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.
jaclaz
Did a few checks.
For some stupid reason the VirtualBox parser doesn't like the initial
# produced by CloneDisk
(probably it wants the file to start with "# Disk DescriptorFile" and/or the programmer that wrote it didn't understand tat lines with # can be comment lines.
Then, for some reasons you have to add to the file
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
or *any* uuid.
Then it will mount OK.
As well, using the SanBarrow tool you need to add the
ddb.uuid.image="00000000-0000-0000-0000-000000000001"
AND remove any space before the CR+LF (or just LF) at the end of each line.
It is very possible that different VirtualBox versions have a better (or worse) parser for .vmdk descriptor file, though.
jaclaz
StarWind V2V Converter
What happens?
Or (alternatively) post the .vmdk descriptor file you are using and I will try and see if I can find if there is anything wrong with it.
jaclaz
Thank you for the suggestion. I am traveling through client sights this week. I will try this when I get back and let you know.
Good,in the meantime I could do a few more experiments, with interesting results.
The VirtualBox parser (at least in the verison I have) is "queer".
You don' t really *need* most of the fields that the tools (originally made and surely working with VMWare) actually produce.
The bare minimum is as follows
# Disk DescriptorFile
version=1
createType=
RW <size in sectors> FLAT "<filename>" 0
ddb.uuid.image="<UUID>"
Just for the fun of it I made a small batch to create both the "minimal" and the "canonical" version.
@ECHO OFF
SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
IF %1.==. GOTO Error
SET SRFull="%~dpnx1"
IF NOT EXIST %SRFull% GOTO Error
SET SRName="%~nx1"
SET SRPath=%~dp1
get size of Source in bytes
SET SRSize=%~z1
get size of Source in 512 bytes sectors
CALL to_sectors %SRSize%
make a NOT really random 16 bytes string to be used as CID and as ddb.uuid.image
SET HexChar=0123456789ABCDEFF
SET Rand8=
FOR /L %%A IN (1,1,32) DO (
SET /a _rand=!RANDOM! %% 17
CALL to_hexchar
SET Rand8=!Rand8!!_rand!
)
SET ddb.uuid.image="%Rand8~0,8%-%Rand8~8,4%-%Rand8~12,4%-%Rand8~16,4%-%Rand8~20,12%"
SET CID=%Rand8~1,2%%Rand8~5,2%%Rand8~9,2%%Rand8~13,2%
Now the fun part, the parser of VirtualBox requires only a small subset of the data that
is normally in a .vmdk descriptor file and in any case there is no need of setting the geometry
and other ddb. fields apart from the ddb.uuid.image
So, the following allows to change from the "canonical" version to the shorter one, UNREM
the one that you choose
CALL canonical
REM CALL minimal
GOTO EOF
canonical
ECHO # Disk DescriptorFile
ECHO version=1
SET CID
ECHO parentCID=ffffffff
ECHO createType="monolithicFlat"
ECHO.
ECHO # Extent description
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
ECHO.
ECHO # The disk Data Base
ECHO #DDB
ECHO.
ECHO ddb.virtualHWVersion = "4"
ECHO ddb.adapterType="ide"
SET ddb.uuid.image
ECHO ddb.uuid.parent="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.modification="00000000-0000-0000-0000-000000000000"
ECHO ddb.uuid.parentmodification="00000000-0000-0000-0000-000000000000"
GOTO EOF
minimal
ECHO # Disk DescriptorFile
ECHO version=1
ECHO createType=
ECHO RW %SRSizeBlocks% FLAT %SRName% 0
SET ddb.uuid.image
GOTO EOF
to_sectors
SET Number=%1
FOR /L %%B IN (1,1,9) DO (
CALL divideby2
IF "0"=="!Result~0,1!" SET Result=!Result~1!
IF NOT DEFINED Result SET Result=0
SET Number=!Result!
)
SET SRSizeBlocks=%Result%
EOF
divideby2
SET Result=
Get length of number
FOR /L %%A IN (14,-1,1) DO (
SET Part=!Number~0,%%A!
IF !Part!==%Number% SET Length=%%A
)
SET Carry=0
FOR /L %%A IN (0,1,%Length%) DO (
IF %%A==%Length% GOTO EOF
SET /A digit=10*!Carry!+!Number~%%A,1!
SET /A divdigit=!digit!/2
SET /A Carry=!digit!-!divdigit!-!divdigit!
SET Result=!Result!!divdigit!
)
GOTO EOF
to_hexchar
SET _rand=!HexChar~%_rand%,1!
GOTO EOF
Error
ECHO DOn't you like when all you get is
ECHO an Error occurred!
PAUSE
GOTO EOF
Virtualbox generates the ddb.geometry fields on its own, and as well once mounted it adds some of the other fields.
It is very possible that VmWare actually *needs* some of the fields I omitted, though.
jaclaz