Converting VM to dd file

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Go to page 1 , 2 , 3 Next

Converting VM to dd file

Post Posted: Fri May 30, 2008 2:15 am

Hi All,
I am trying to put together some procedures for examining virtual machines found on an acquired hard drive. I am curious as to experiences in this realm. I want to include all types of VMs and am looking for tools that can convert a VM file to a dd file. Any help would be appreciated.

dbarrett
Member

    Re: Converting VM to dd file

    Post Posted: Fri May 30, 2008 9:52 am

    FTK Imager will open .vmdk files and let you "acquire" them to dd:
    windowsir.blogspot.com...is-on.html

    keydet89
    Senior Member

    Re: Converting VM to dd file

    Post Posted: Fri May 30, 2008 11:39 am

    I agree the .vmdk file is where all of that good information is. I did experience some trouble in using FTK to analyze the virtual machine. EnCase was much more beneficial in this aspect. If you would like I have produced a report on virtual machine analysis.

    pronie2121
    Senior Member

      Re: Converting VM to dd file

      Post Posted: Fri May 30, 2008 12:07 pm

      I for one would love to see your report on VM analysis.

      BitHead
      Senior Member

        Re: Converting VM to dd file

        Post Posted: Fri May 30, 2008 12:33 pm

        I will get that over to you as soon as possibly

        pronie2121
        Senior Member

          Re: Converting VM to dd file

          Post Posted: Fri May 30, 2008 12:35 pm

          FTK imager is by far and away the easiest way to "acquire" a .vmdk to a dd image. FTK itself can parse .vmdk but I prefer to convert to dd for simplification. This is the method I use when I create class materials for trainings.

          qemu-img can convert to dd as well.

          hogfly
          Senior Member

          Re: Converting VM to dd file

          Post Posted: Fri May 30, 2008 1:54 pm

          pronie2121,
          I would like to see your report as well. I will also be working on other VMs such as those created by Virtual PC, and Parallels.
          Hogfly,
          Thanks for the tip on qemu-img. We have been using VirtualBox quite a bit, so I will look at this as well.
          keydet89,
          Thanks for the link to some great information. I will have to revisit FTK Imager. (I thought we looked at it.)

          dbarrett
          Member
            Page 1 of 3
            Go to page 1 , 2 , 3 Next




            ± Forensic Focus Partners

            ± Your Account



            Site Members:

            New Today: 3 Overall: 33332
            New Yesterday: 3 Visitors: 211

            ± Follow Forensic Focus

            Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

            RSS feeds: News Forums Articles

            ± Latest Articles

            ± Latest Webinars


            Build a Mobile Site
            View Site in Mobile | Classic
            Share by: