[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Convert VMDK to RAW
From: |
Max Reitz |
Subject: |
Re: Convert VMDK to RAW |
Date: |
Thu, 14 Nov 2019 18:27:05 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 |
On 14.11.19 17:12, address@hidden wrote:
> Ladies and Gentlemen,
>
>
>
> I am a PhD student at the Friedrich-Alexander-University
> Erlangen-Nuremberg in Bavaria, Germany and am currently working on a
> forensic reconstruction tool. The tool can be used to analyze physical
> and virtual hard disks and to reconstruct files. I would now like to
> extend the tool so that it is able to analyze VMDK files and convert
> them to raw. Unfortunately I have not been able to understand how to
> correctly unpack and assemble VMDK containers. Since qemu is able to
> convert VMDK to raw, I wanted to ask you if you could explain to me how
> to put the grains together?
Hi,
I’m not quite sure what you mean by a “VMDK container”. VMDK disk
images can consist of multiple files that are linked together by a
descriptor file. In theory all you need to do is tell qemu-img to
convert that descriptor file into a raw image. For example:
(Sorry, I don’t know much about VMware, so all I can do is use qemu
tools to demonstrate)
$ qemu-img create -f vmdk -o subformat=twoGbMaxExtentSparse foo.vmdk 4G
Formatting 'foo.vmdk', fmt=vmdk size=4294967296 compat6=off
hwversion=undefined subformat=twoGbMaxExtentSparse
$ ls
foo-s001.vmdk foo-s002.vmdk foo.vmdk
$
In this example, foo.vmdk is the descriptor file and it points to the
other two (data) files:
$ cat foo.vmdk
# Disk DescriptorFile
version=1
CID=6d8d65ed
parentCID=ffffffff
createType="twoGbMaxExtentSparse"
# Extent description
RW 4194304 SPARSE "foo-s001.vmdk"
RW 4194304 SPARSE "foo-s002.vmdk"
# The Disk Data Base
#DDB
ddb.virtualHWVersion = "4"
ddb.geometry.cylinders = "8322"
ddb.geometry.heads = "16"
ddb.geometry.sectors = "63"
ddb.adapterType = "ide"
$
So to convert this VMDK disk image to a raw image, you’d simply do this:
$ qemu-img convert -f vmdk -O raw -p foo.vmdk foo.img
(100.00/100%)
$
Max
signature.asc
Description: OpenPGP digital signature