raw2vmdk is an OS independent Java utility that allows you to mount raw disk images, like images created by “dd”, using VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format.

It could be an interesting tool for doing forensics examinations on compromised boxes when all you have is a dd dump of the drive to work on, it allows you to easily mount the disk in your favourite virtualization platform and get to work doing some forensic analysis.

It analyzes the raw image and creates an appropriately formatted “.vmdk” file that can be used to mount the image right away.

raw2vmdk is written in Java and is designed to be OS independent, simple and flexible. It creates an appropriately structured VMDK file that refers to the raw image, which can then be mounted by VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format, as if it were an actual virtual drive. Thus preserving space and allowing for very fast deployment.

It is extremely simple to use and provides the required results in seconds. This is a new tool, so if you have any feedback please do leave it in the comments below or contact the author directly.

You can download raw2vmdk here:

raw2vmdk-0.1.1.tar.gz

*EDIT* 18/6/2010

keydet89 on Twitter asked about the difference between this tool and LiveView so I asked the author and here’s his reply:

Actually I’m using a couple of their classes to get the disk geometry details needed for the vmdk file. I acknowledge that in my blog and the AUTHORS file.

You see I needed to boot a 74GB pfSense raw image for analysis and “qemu-img convert” is too slow for that kind of thing. Then I came across LiveView, I reviewed the code and manually replicated the process of creating a suitable vmdk file in order to boot the image using VMware.

After I was done my first plan was to port LiveView to *nix, but after a chat with the maintainer and a more detailed review of the LiveView code it proved to be too time consuming. So I decided to automate the manual process I followed and because there’s no need to reinvent the wheel I reused the classes LiveView is using to get the disk geometry.

LiveView is a good tool but very tightly coupled with MS Windows and can’t work from the command line. I needed something OS independent and easy to incorporate into scripts, mainly because I don’t use Windows. Plus, in the code it seemed that LiveView is actually manipulating the VMware ESX, I didn’t much care for that.

I think it’s best to just create the required .vmdk file to allow someone to boot/mount the drive they need and just get the hell out of their way. So overnight I had raw2vmdk ready and you know the rest. :)

You can read more about raw2vmdk at his blog here:

Zapotek’s train of thought…

Or read more here.

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public.

You can download the latest version here:

foremost-1.5.tar.gz

Or read more here.