[ad]
raw2vmdk is an OS independent Java utility that allows you to mount raw disk images, like images created by “dd”, using VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format.
It could be an interesting tool for doing forensics examinations on compromised boxes when all you have is a dd dump of the drive to work on, it allows you to easily mount the disk in your favourite virtualization platform and get to work doing some forensic analysis.
It analyzes the raw image and creates an appropriately formatted “.vmdk” file that can be used to mount the image right away.
raw2vmdk is written in Java and is designed to be OS independent, simple and flexible. It creates an appropriately structured VMDK file that refers to the raw image, which can then be mounted by VMware, VirtualBox or any other virtualization platform supporting the VMDK disk format, as if it were an actual virtual drive. Thus preserving space and allowing for very fast deployment.
It is extremely simple to use and provides the required results in seconds. This is a new tool, so if you have any feedback please do leave it in the comments below or contact the author directly.
You can download raw2vmdk here:
*EDIT* 18/6/2010
keydet89 on Twitter asked about the difference between this tool and LiveView so I asked the author and here’s his reply:
Actually I’m using a couple of their classes to get the disk geometry details needed for the vmdk file. I acknowledge that in my blog and the AUTHORS file.
You see I needed to boot a 74GB pfSense raw image for analysis and “qemu-img convert” is too slow for that kind of thing. Then I came across LiveView, I reviewed the code and manually replicated the process of creating a suitable vmdk file in order to boot the image using VMware.
After I was done my first plan was to port LiveView to *nix, but after a chat with the maintainer and a more detailed review of the LiveView code it proved to be too time consuming. So I decided to automate the manual process I followed and because there’s no need to reinvent the wheel I reused the classes LiveView is using to get the disk geometry.
LiveView is a good tool but very tightly coupled with MS Windows and can’t work from the command line. I needed something OS independent and easy to incorporate into scripts, mainly because I don’t use Windows. Plus, in the code it seemed that LiveView is actually manipulating the VMware ESX, I didn’t much care for that.
I think it’s best to just create the required .vmdk file to allow someone to boot/mount the drive they need and just get the hell out of their way. So overnight I had raw2vmdk ready and you know the rest. :)
You can read more about raw2vmdk at his blog here:
Or read more here.
D-fence says
You can also use xmount.
Xmount is also able to live-convert encase ewf files (and maybe aff files one day).
You can find it at:
https://www.pinguin.lu/index.php
But there is already a debian package available:
http://packages.debian.org/fr/sid/xmount
BMG says
Any windows suggestions other than Live View? Thanks!