±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34614
New Yesterday: 0 Visitors: 195

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Converting VM to dd file

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Converting VM to dd file

Post Posted: Fri May 30, 2008 2:15 am

Hi All,
I am trying to put together some procedures for examining virtual machines found on an acquired hard drive. I am curious as to experiences in this realm. I want to include all types of VMs and am looking for tools that can convert a VM file to a dd file. Any help would be appreciated.  

dbarrett
Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 9:52 am

FTK Imager will open .vmdk files and let you "acquire" them to dd:
windowsir.blogspot.com...is-on.html  

keydet89
Senior Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 11:39 am

I agree the .vmdk file is where all of that good information is. I did experience some trouble in using FTK to analyze the virtual machine. EnCase was much more beneficial in this aspect. If you would like I have produced a report on virtual machine analysis.  

pronie2121
Senior Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 12:07 pm

I for one would love to see your report on VM analysis.  

BitHead
Senior Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 12:33 pm

I will get that over to you as soon as possibly  

pronie2121
Senior Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 12:35 pm

FTK imager is by far and away the easiest way to "acquire" a .vmdk to a dd image. FTK itself can parse .vmdk but I prefer to convert to dd for simplification. This is the method I use when I create class materials for trainings.

qemu-img can convert to dd as well.  

hogfly
Senior Member
 
 
  

Re: Converting VM to dd file

Post Posted: Fri May 30, 2008 1:54 pm

pronie2121,
I would like to see your report as well. I will also be working on other VMs such as those created by Virtual PC, and Parallels.
Hogfly,
Thanks for the tip on qemu-img. We have been using VirtualBox quite a bit, so I will look at this as well.
keydet89,
Thanks for the link to some great information. I will have to revisit FTK Imager. (I thought we looked at it.)  

dbarrett
Member
 
 

Page 1 of 3
Go to page 1, 2, 3  Next