getting a raw hard disk image into a VM

Erg0m3t3r · ‎03-24-2016

hi,

I am quite new to VMware.... I know what VMware player and ESXi is, and I have set up a whitebox with the demo of ESXi 5.5 and I have installed the VMware player.

Unfortunately I don't know all of the magic buttons by heart...

I have a not-too-easy taks, for data analysis and recovery attempts I want to make use of hard disk clones to save some time... till now I worked with physical copies of these disks which is quite time consuming.

So I created two files with linux DD which I copied into an SMB share. One is 15 GB, the other 750 GB

But the one hard disk has a defect FAT / GPT that needs recovery and the other has a file system I don't yet know, and not recognized by Linux.
I am afraid that that "VMware Converter" will touch the content of the disks... but that should not happen.

How do I get these "raw" images connected as an additional hard disk to a VM?

I have two VM, one with Linux and one with Windows 7 where I will try different things and want to attach these disk files for my future analysis and repair.

jpsider · ‎03-24-2016

Right click the VM, Select Edit Settings.

Select the Add button.

Select the Hard Disk option

Select Use an existing virtual disk

Browse to the disk.

Select The "mode" you want for forensics, Independent Non-Persistent might be best

Select Next & Finish.

See how that works for you, let us know if you have further questions

continuum · ‎03-25-2016

> I have a not-too-easy taks, for data analysis and recovery attempts I want to make use of hard disk clones to save some time..

Actually this is much easier than you probably thought.
The image type :" thick-provisioned eager zeroed-flat.vmdk" was formerly known as "full dd disk-image"
Actually it is exactly the same !!!!

Lets construct an example so that you can see if you have the same thing in mind.

you have a 233 gb file named "this-is-why-Hugo-is-in-jail-now
"
Tomorrow you have to present the case to the judges.
Hugo was a big fisk so you and 3 of your colleagues all get the task: inspect the file "this-is-why-Hugo-is-in-jail-now" because it is assumed to be the bootdisk of Hugos computer.
With these conditions you will need 4 linked clones and every colleague must keep the image as it will look when they are finished.
So the plan looks like this if you watch step by step:
1. check: is this a dd-image (hexdump -C -n 2mb | less) ----> you should see the first sector is an MBR or a GPT
----> if you see that the first sector is an ntldr or bootmgr assume that you have a partition-image (also possible but requires extra steps.
2. does the size of the image fit to the values in the par4titiontable ? (run fdisk or gdisk or partedUtil against "this-is-why-Hugo-is-in-jail-now" - you should see the partitiontable displayed - check filesize
3. does the size of the file is a multiple of 512 ? -----> if not - it maybe corrupt
4. if everything looks good - create a descriptorfile for "this-is-why-Hugo-is-in-jail-now"
- see the long version here:
Use dd image as VMDK‌ .
in short: size in bytes / 512 = size in sectors = X
size in sectors / 16065 round down = Y
This results in
# Disk DescriptorFile
version=1
encoding="UTF-8"
CID=Z
parentCID=ffffffff
createType="vmfs"
# Extent description
RW X VMFS "this-is-why-Hugo-is-in-jail-now"
# The Disk Data Base
#DDB
ddb.virtualHWVersion = "8"
ddb.geometry.cylinders = "Y"
ddb.geometry.heads = "255"
ddb.geometry.sectors = "63"
ddb.adapterType = "lsilogic"

Since the best possible CID-value (12345678) was recently discovered simpy use it for Z.

5.ESXi should now be able to detect the newly created descriptor as a valid vmdk. In the example you named the descriptor hugo.vmdk
Put the 2 files into a directory you reserve for the masterimage - named "master"
6. create a first snapshot - we will use it to protect the master
you should now have:

hugo.vmdk

this-is-why-Hugo-is-in-jail-now

hugo-000001.vmdk

hugo-000001-delta.vmdk
7. create another snapshot - we will use it with 4 copies - you should now have

hugo.vmdk

this-is-why-Hugo-is-in-jail-now

hugo-000001.vmdk

hugo-000001-delta.vmdk

hugo-000002.vmdk

hugo-000002-delta.vmdk

8. create new directories - one for each linked clone - you should now have

hugo.vmdk

this-is-why-Hugo-is-in-jail-now

hugo-000001.vmdk

hugo-000001-delta.vmdk

hugo-000002.vmdk

hugo-000002-delta.vmdk

cloneA
cloneB

cloneC

cloneD
9. edit hugo-000002.vmdk
change line
parentfileNameHint = "hugo-000001.vmdk"

to
parentfileNameHint = "/vmfs/volumes/datastore/master/hugo-000001.vmdk"
copy the modified

hugo-000002.vmdk

hugo-000002-delta.vmdk

into each clnedirectories - you should now have

hugo.vmdk

this-is-why-Hugo-is-in-jail-now

hugo-000001.vmdk

hugo-000001-delta.vmdk

hugo-000002.vmdk

hugo-000002-delta.vmdk

cloneA/hugo-000002.vmdk

cloneA/hugo-000002-delta.vmdk

cloneB/hugo-000002.vmdk

cloneB/hugo-000002-delta.vmdk

cloneC/hugo-000002.vmdk

cloneC/hugo-000002-delta.vmdk

cloneD/hugo-000002.vmdk

cloneD/hugo-000002-delta.vmdk

----------------------------------------------
Now you have 4 independant linked clones - and all of them can be stored independantly.That was the vmdk part - you should see the pattern by now and be able to create vmx-files for the 4 different snapshot-chains.See long description I wrote years ago:linked-clnes-with-esxi

I hope you get it - nothing special necessary: just standard technics:manually create a descriptor and a few vmdk-edits

.

Ulli

________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

continuum · ‎03-25-2016

Dont even consider to use Converter - it is neither necessary nor will you get away with that at court.

________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

All

getting a raw hard disk image into a VM