In my first post, I described how to create a vmdk descriptor file from a single, dd image. Later, I posted on creating vmdk files from split, dd images. Creating a vmdk descriptor file from a single, dd image is a relatively simple task, especially if you keep a handy template. Segmented dd images, however, can make vmdk file creation laborious. To illustrate, here’s an screenshot of a vmdk file that references a segmented image:
Dana McNeil is a seasoned detective with the Bozeman, MT, Police Department. He’s certified as a computer forensics examiner and a member of our Internet Crimes Against Children Task Force. On top of that, Dana’s a programmer. He wrote a handy tool named WinVMDKCreator to automate building vmdk files from single or multiple dd image files. Even with a single image, Dana’s tool removes a margin of error that exists when humans copy, paste, and do math. In keeping with our philosophy of sharing with the forensics community, Dana kindly allowed me to share his latest beta with my readers. So, here it is: WinVMDKCreator. To make downloading less troublesome for some readers, the zipped application is in another zip file that’s encrypted with the password vmdk. Simply unzip the application and its accompanying files to a location of your choice. It’s a portable app, and no installation (or uninstallation) is required.
When you run the executable, the following screen presents. I’ll demo the tool with a video later.
In sum, you point the WinVMDKCreator to your dd image file, choose some options, and create a vmdk descriptor file in a few seconds. Dana also allows us to have WinVMDKCreator set our image files to read-only, in case we haven’t done so already. A log file is created to document the operation. I’ll demonstrate with a 75-piece dd image set.
WInVMDKCreator needs only the first segment of a mulit-part dd image and uses the image file to compute the disk geometry. By default, it verifies its findings with the imaging verification file produced by X-Ways Forensics or FTK Imager. WinVMDKCreator was designed to parse the formats of the text files produced by those applications. You can choose a different file, though WinVMDKCreator may not understand its format. Had we looked, we would have noted that every image segment’s attribute was set to read-only. Presently, WinVMDKCreator allows us to choose an output version suitable to VMware 8 or 9. Finally, WinVMDKCreator names the descriptor file after the name of the image. You can choose a different name if you wish.
Let me go over a few points about VMware versions and vmdk file formats. First, they’re not critical to any task that we’ll undertake in forensics. However, if you’re versions don’t conform with your VMware version, you may find yourself perplexed over choices that present during VM creation. I’ll demonstrate by beginning at the VMware 9 screen where we decide to create a VM from an existing virtual disk.
If we created a vmdk descriptor file based upon VMware 8, VMware asks whether we want to convert it to Version 9. Let’s say we’re inclined to do so. Well, the next box tells us that we can’t. The reason for this is that our underlying image file is read only, and we can’t take a snapshot before our VM is created. It’s a chicken-egg thing. I can tell you that VMware doesn’t need to “edit” the image file for a conversion, but I like to keep my images read-only. If you simply choose to keep the existing format, VMware will create your VM, and it will work fine. There are other ways around this, but I’ll leave this issue alone as it’s really insignificant.
Remember that WinVMDKCreator is still a beta, thought it seems ready for full deployment. Basically, if your VM works, WinVMDKCreator did its job. If you like the tool, give a shout out to Dana or drop him a note. His email address is in the “good-bye” box that presents when you close the application.