±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 3 Overall: 36209
New Yesterday: 7 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Examining VDI files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 

Senior Member

Examining VDI files

Post Posted: Jul 23, 13 14:52

Has anyone had any luck examining VDI files?
I've got two that I can add to a VM and load them up (but then I'm faced with a password screen). However I cant figure out a way to view the file system using a forensic suite (ie encase).

At best I've managed to get it to see one of the partitions but its not the ext3/4 partition im looking for.

ive tried to use vboxmanage converttoraw option to no avail
the only other thing i can think of is get a live cd going on the vm and imaging it
any other suggestions?  

Senior Member

Re: Examining VDI files

Post Posted: Jul 23, 13 15:00

How about QEMU-IMG on linux?


Last edited by minime2k9 on Jul 24, 13 12:47; edited 1 time in total

Senior Member

Re: Examining VDI files

Post Posted: Jul 23, 13 16:54

Just like .vhd and .vmdk, there are SEVERAL different formats for .vdi.
A "static" file can be converted to "RAW" without any difficulties, but if it's one of the "dynamic" ones, then it's another matter.

There are tools under Linux:

Under windows there is the Commercial WinMount:

And the Free Imdisk:
that in recent versions supports "all" or "almost all" the VDI, VHD and VMDK types, see:
Actually, the support is provided by DiscUtilsDevio, see Faq #8 here:
Please consider how Imdisk will anyway access the volume (and NOT the "whole disk").
THe mentioned IMDISK Toolkit may make the mounting easier.

There is a "derived work" from Imdisk, "forensics oriented" by Passmark:
though it doesn't seem like it is supporting the .VDI format, being "connected" with Imdisk it is possible that it can manage Discutilsdevio too. Question

And here there is a tool:
to convert a "dynamic" vdi inot a (sparse file backed) "static" one.

As always, YMMV. Shocked

- In theory there is no difference between theory and practice, but in practice there is. - 


Re: Examining VDI files

Post Posted: Jul 23, 13 17:53

You can also mount it with FTK Imager, that is able to mount it both as a physical disk and as logical volumes (if Windows supports the file systems installed on the various partitions).
After that, you can use your forensic tool of choice to inspect/acquire it.  

Senior Member

Re: Examining VDI files

Post Posted: Jul 25, 13 07:06

thanks guys

i've tried a number of different ways to get around this and have had no luck

tried converting the file to static and then throwing it into various forensic tools; no luck
tried to replace the /etc/shadow file with one id crafted myself (manually; this was a painful hex editing process) - but didnt work
tried konboot/boot disk to access the volume and no luck

it appears that the vdi file contains three partitions; one contains an EFI and upon entering the correct password boots one of the others. The one that I think contains all the data, and makes references to using LVM; overall i'm stumped at trying to get into this thing.  

Senior Member

Re: Examining VDI files

Post Posted: Jul 25, 13 11:31

Ah LVM,s, I've been struggling with them recently, see if this article helps you:


Helped me get into the volume.  

Senior Member

Re: Examining VDI files

Post Posted: Jul 25, 13 14:00

My first suggestion would have been to use a live CD. Also (by chance) I've seen a VBoxManage command in the Malware Analyst's Cookbook this morning which is supposed to convert to a raw image:

VBoxManage clonehd SUSPECT.vdi SUSPECT.dd --format RAW

Good luck.  

Page 1 of 2
Page 1, 2  Next