Converting VM to dd...
 
Notifications
Clear all

Converting VM to dd file

17 Posts
7 Users
0 Likes
4,099 Views
(@dbarrett)
Posts: 14
Active Member
Topic starter
 

Hi All,
I am trying to put together some procedures for examining virtual machines found on an acquired hard drive. I am curious as to experiences in this realm. I want to include all types of VMs and am looking for tools that can convert a VM file to a dd file. Any help would be appreciated.

 
Posted : 30/05/2008 8:15 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

FTK Imager will open .vmdk files and let you "acquire" them to dd
http//windowsir.blogspot.com/2008/02/getting-started-or-forensic-analysis-on.html

 
Posted : 30/05/2008 3:52 pm
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
 

I agree the .vmdk file is where all of that good information is. I did experience some trouble in using FTK to analyze the virtual machine. EnCase was much more beneficial in this aspect. If you would like I have produced a report on virtual machine analysis.

 
Posted : 30/05/2008 5:39 pm
(@bithead)
Posts: 1206
Noble Member
 

I for one would love to see your report on VM analysis.

 
Posted : 30/05/2008 6:07 pm
pronie2121
(@pronie2121)
Posts: 117
Estimable Member
 

I will get that over to you as soon as possibly

 
Posted : 30/05/2008 6:33 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

FTK imager is by far and away the easiest way to "acquire" a .vmdk to a dd image. FTK itself can parse .vmdk but I prefer to convert to dd for simplification. This is the method I use when I create class materials for trainings.

qemu-img can convert to dd as well.

 
Posted : 30/05/2008 6:35 pm
(@dbarrett)
Posts: 14
Active Member
Topic starter
 

pronie2121,
I would like to see your report as well. I will also be working on other VMs such as those created by Virtual PC, and Parallels.
Hogfly,
Thanks for the tip on qemu-img. We have been using VirtualBox quite a bit, so I will look at this as well.
keydet89,
Thanks for the link to some great information. I will have to revisit FTK Imager. (I thought we looked at it.)

 
Posted : 30/05/2008 7:54 pm
hogfly
(@hogfly)
Posts: 287
Reputable Member
 

dbarrett,
If you haven't seen it yet I had a blog entry on virtualbox. The comments include a tip on working with dynamic images as well.

http//forensicir.blogspot.com/2008/01/virtualbox-and-forensics-tools.html

 
Posted : 30/05/2008 8:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also you can mount the .vmdk file with VDK and use dsfo/dsfi or dd for windows to dd the \\.\Physicaldriven to a RAW image.

jaclaz

 
Posted : 30/05/2008 10:05 pm
(@jimmyw)
Posts: 64
Trusted Member
 

I've found that FTK Imager sometimes has trouble in mounting snapshots. Also, if you want to mount a Vista image, I suggest VDK or the vm-ware mount utility available in the developers kit, http//www.vmware.com/support/developer/vddk/. The mount function in the 6.x has trouble with Vista partitions.

 
Posted : 31/05/2008 12:02 am
Page 1 / 2
Share: