On 14.11.19 17:12, janine.schnei...@fau.de wrote: > Ladies and Gentlemen, > > > > I am a PhD student at the Friedrich-Alexander-University > Erlangen-Nuremberg in Bavaria, Germany and am currently working on a > forensic reconstruction tool. The tool can be used to analyze physical > and virtual hard disks and to reconstruct files. I would now like to > extend the tool so that it is able to analyze VMDK files and convert > them to raw. Unfortunately I have not been able to understand how to > correctly unpack and assemble VMDK containers. Since qemu is able to > convert VMDK to raw, I wanted to ask you if you could explain to me how > to put the grains together?
Hi,
I’m not quite sure what you mean by a “VMDK container”. VMDK disk
images can consist of multiple files that are linked together by a
descriptor file. In theory all you need to do is tell qemu-img to
convert that descriptor file into a raw image. For example:
(Sorry, I don’t know much about VMware, so all I can do is use qemu
tools to demonstrate)
$ qemu-img create -f vmdk -o subformat=twoGbMaxExtentSparse foo.vmdk 4G
Formatting 'foo.vmdk', fmt=vmdk size=4294967296 compat6=off
hwversion=undefined subformat=twoGbMaxExtentSparse
$ ls
foo-s001.vmdk foo-s002.vmdk foo.vmdk
$
In this example, foo.vmdk is the descriptor file and it points to the
other two (data) files:
$ cat foo.vmdk
# Disk DescriptorFile
version=1
CID=6d8d65ed
parentCID=ffffffff
createType="twoGbMaxExtentSparse"
# Extent description
RW 4194304 SPARSE "foo-s001.vmdk"
RW 4194304 SPARSE "foo-s002.vmdk"
# The Disk Data Base
#DDB
ddb.virtualHWVersion = "4"
ddb.geometry.cylinders = "8322"
ddb.geometry.heads = "16"
ddb.geometry.sectors = "63"
ddb.adapterType = "ide"
$
So to convert this VMDK disk image to a raw image, you’d simply do this:
$ qemu-img convert -f vmdk -O raw -p foo.vmdk foo.img
(100.00/100%)
$
Max
signature.asc
Description: OpenPGP digital signature
