I have a cloned Windows 2000 Server VMWare image and I'd like to convert it to a dd image. Is this possible and if so how?
A quick and dirty solution is to boot off a Helix disk and image it using DD - just like a full machine.
EnCase is supposed to handle VMWare but I've had problems with snapshots working right.
Hope this helps, James
If you are on a Windows system, another dirty (and maybe not as quick solution) is to use VDK to mount the VmWare image and dsfo to DD it to a new image, see my post here
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1489&start=30
jaclaz
….or how about opening the VMDK file(s) which is the VMware disk image in FTK Imager and exporting out a DD?
Thanks guys, I used the FTK Imager Lite which seems to of worked. However it is limited to 2047 megs and the image I have is larger than that. Is it possible to combine the two images it creates using "cat -B image1.dd image2.dd > image.dd", or would that cause some problem?
If you are using Vmware workstation 6, I think you could just right click vmdk file and choose mount as Z ,then you can use other tools to image
virtual partition as dd file. The other way is to use Disk mount utility of Vmware.
Thanks guys, I used the FTK Imager Lite which seems to of worked. However it is limited to 2047 megs and the image I have is larger than that. Is it possible to combine the two images it creates using "cat -B image1.dd image2.dd > image.dd", or would that cause some problem?
If you are using Vmware workstation 6, I think you could just right click vmdk file and choose mount as Z ,then you can use other tools to image
virtual partition as dd file. The other way is to use Disk mount utility of Vmware.Thanks guys, I used the FTK Imager Lite which seems to of worked. However it is limited to 2047 megs and the image I have is larger than that. Is it possible to combine the two images it creates using "cat -B image1.dd image2.dd > image.dd", or would that cause some problem?
I tried the disk mount utility then used DD and it worked. Thanks!
I have another question now. Since I mounted the VMware image as a partition and then used DD to copy that partition as image.dd would there be any kind of deleted files/unallocated space in the image.dd file and if so how could I view it?
So far I've tried using Sleuthkit's fls with "fls.exe -d -r image.dd > deleted.txt"
Here are the results, but I don't know how to interpret it, or carve out the deleted files. http//
Any help would be appreciated.
One way is to open image.dd in your favorite hex editor and scan for headers of interest. Once you find one, determine the probable end and carve the start to end sectors to a file with the hex editor.
One way is to open image.dd in your favorite hex editor and scan for headers of interest. Once you find one, determine the probable end and carve the start to end sectors to a file with the hex editor.
Isn't there a more easier and automated way? I would think the sleuthkit or some other free software would be able to do it.