Forums
Main Category
General (Technical,...
Create a VM from DD...
 
Notifications
Clear all

Create a VM from DD files

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 15 years ago
7 Posts
6 Users
0 Reactions
4,027 Views
RSS
 KimberlySaunders
(@kimberlysaunders)
New Member
Joined: 15 years ago
Posts: 1
Topic starter 28/07/2010 12:00 am  

Hi,

First, I apologize if this question has been asked before.

This is my first post on Forensic Focus. I am currently working on a malware case and only have the DD image of the target workstation. I am trying to some how create a virtual machine out of the DD images. I have tried several methods such as raw2vmdk, Disk2vhd and Pro Discovers Create VMDK from DD and all have failed.

I also tried mount image pro, however disk2vhd was not able to detect the mounted drive as a physical disk.

Some more info

The DD images I have are segmented into 3gig files each, not a single DD.
I also have Parallels Desktop for Mac and would like to boot the DD into that. I also have an ESX server if that would some how help.

Any help is greatly appreciated, thanks a lot.


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
28/07/2010 12:32 am  

I am not sure to get it.
Why don't you join the three dd images together?

If you have VMware all you need is to create a .vmdk descriptor file.

See here
http//www.boot-land.net/forums/index.php?showtopic=5578
http//www.sanbarrow.com/vmdk/disktypes.html

more
http//sanbarrow.com/vmdk-handbook.html

AFAIK/AFAICR the other way is to re-split in 2 Gb chunks and use the
twoGbMaxExtentFlat
format.

jaclaz


   
ReplyQuote
 Anonymous
(@Anonymous)
Guest
Joined: 1 second ago
Posts: 0
28/07/2010 2:20 am  

I've had good success in exporting segmented EWF files as a single dd and using Live View to mount the image under VMWare.

You may need to export your segmented dd to EWF (aka E01) and then re-export to a single dd to get the best results.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
28/07/2010 2:38 am  

Look around for some stuff that Brett Shavers has put out
http//www.forensicfocus.com/downloads/vmware-forensic-tool.pdf

and Dave Shaver
http//rpforensics.com/resources/Repairing+a+restored+VM_V9.pdf

http//www.thedigitalforensicgroup.com/pdf/How%20to%20use%20VM_V5.pdf

and this
http//www.thedigitalforensicgroup.com/pdf/VMware_Forensic_Cloning_Methodology.pdf

All have been extremely helpful in helping me create VM enviroments from disk images.

There is also a commercial utility form the makers of Mount Image Pro called VFC
http//www.virtualforensiccomputing.com/

You should have FTK Imager handy to convert formats if needed. You can convert the DD to a single E01 file.


   
ReplyQuote
 DarkSYN
(@darksyn)
Trusted Member
Joined: 17 years ago
Posts: 50
28/07/2010 2:40 am  

Another such tool has been written by a friend & student of mine that does exactly that, called raw2vmdk.

Hope this helps.

Cheers
DarkSYN


   
ReplyQuote
kiashi
 kiashi
(@kiashi)
Trusted Member
Joined: 19 years ago
Posts: 99
28/07/2010 4:02 am  

Hi Kimberley, welcome to FF )

I think if you go straight for the LiveView option AWTLPI mentioned you should be fine. I have never tried to use one of the virtual machines it creates in Parallels though but they definitely work for VMWare.

It shouldn't matter what size the DD segments are or how many of them there are, just be sure to select them all when you load them in to LiveView. So there is no need to convert or concatenate them.

Hope that helps.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
28/07/2010 1:10 pm  

Another such tool has been written by a friend & student of mine that does exactly that, called raw2vmdk.

It doesn't look like managing images chunks, but only monolithic images.

There are several tools to do this (besides the manual way already described), just for the record clonedisk has some capbilities
http//www.boot-land.net/forums/index.php?showtopic=8480

jaclaz


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: