Imaging a Vmware Guest

Hello,

I am trying to see if I can copy a virutal guest image (bit level image) from vmware (using dd or other free tools) as you would a physical drive (i.e. hda or sda). My goal is to do forensics on the guest image from vmware as you would a physical image acquire from external tools. I read some threads on here were folks were using FTK to merge the vmware files then copied them off using dd.

I have read a lot of posts and other data where people are looking to mount vmware images, or to load imaged drives with vmware, but I am actually looking to take a guest vmware image and produce a raw bit level image. My goal is to practice using tools such as TSK and others with the activity from a vmware guest image.

Below you see the vmware files located on the host system. From what I have learned the main file (Win XP Pro SP1-000001-cl2-000002-cl1-000002-cl1-000012-cl1.vmdk –file size = 6.3G) would be the main drive with the other *0001.vmdk and *0003.vmdk are the different snapshots.

winxppro.nvram
384M 2007-03-15 1303 winxppro-Snapshot4.vmem
17M 2007-03-15 1303 winxppro-Snapshot4.vmsn
384M 2008-03-03 1512 winxppro-Snapshot5.vmem
18M 2008-03-03 1512 winxppro-Snapshot5.vmsn
1.2G 2008-03-04 1127 Win XP Pro SP1-000001-cl2-000002-cl1-000002-cl1-000012-cl1-000001.vmdk
283M 2008-03-03 1511 Win XP Pro SP1-000001-cl2-000002-cl1-000002-cl1-000012-cl1-000003.vmdk
6.3G 2007-03-15 1405 Win XP Pro SP1-000001-cl2-000002-cl1-000002-cl1-000012-cl1.vmdk
1.4K 2008-03-03 1511 winxppro.vmsd
1.3K 2008-03-03 1624 winxppro.vmx*
323 2007-02-20 1155 winxppro.vmxf

Anyone have any thoughts?

Thanks,

mark