raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks


raw2vmdk is an OS independent Java utility that allows you to mount raw disk images, like images created by “dd”, using VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format.

It could be an interesting tool for doing forensics examinations on compromised boxes when all you have is a dd dump of the drive to work on, it allows you to easily mount the disk in your favourite virtualization platform and get to work doing some forensic analysis.

It analyzes the raw image and creates an appropriately formatted “.vmdk” file that can be used to mount the image right away.

raw2vmdk is written in Java and is designed to be OS independent, simple and flexible. It creates an appropriately structured VMDK file that refers to the raw image, which can then be mounted by VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format, as if it were an actual virtual drive. Thus preserving space and allowing for very fast deployment.

It is extremely simple to use and provides the required results in seconds. This is a new tool, so if you have any feedback please do leave it in the comments below or contact the author directly.

You can download raw2vmdk here:

raw2vmdk-0.1.1.tar.gz

*EDIT* 18/6/2010

keydet89 on Twitter asked about the difference between this tool and LiveView so I asked the author and here’s his reply:

Actually I’m using a couple of their classes to get the disk geometry details needed for the vmdk file. I acknowledge that in my blog and the AUTHORS file.

You see I needed to boot a 74GB pfSense raw image for analysis and “qemu-img convert” is too slow for that kind of thing. Then I came across LiveView, I reviewed the code and manually replicated the process of creating a suitable vmdk file in order to boot the image using VMware.

After I was done my first plan was to port LiveView to *nix, but after a chat with the maintainer and a more detailed review of the LiveView code it proved to be too time consuming. So I decided to automate the manual process I followed and because there’s no need to reinvent the wheel I reused the classes LiveView is using to get the disk geometry.

LiveView is a good tool but very tightly coupled with MS Windows and can’t work from the command line. I needed something OS independent and easy to incorporate into scripts, mainly because I don’t use Windows. Plus, in the code it seemed that LiveView is actually manipulating the VMware ESX, I didn’t much care for that.

I think it’s best to just create the required .vmdk file to allow someone to boot/mount the drive they need and just get the hell out of their way. So overnight I had raw2vmdk ready and you know the rest. :)

You can read more about raw2vmdk at his blog here:

Zapotek’s train of thought…

Or read more here.

Posted in: Forensics, Security Software


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


2 Responses to raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks

  1. D-fence June 17, 2010 at 1:01 pm #

    You can also use xmount.
    Xmount is also able to live-convert encase ewf files (and maybe aff files one day).
    You can find it at:
    https://www.pinguin.lu/index.php

    But there is already a debian package available:
    http://packages.debian.org/fr/sid/xmount

  2. BMG June 28, 2010 at 5:20 am #

    Any windows suggestions other than Live View? Thanks!