Convert VMDK to RAW

Convert VMDK to RAW

[janine.schneider]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Ladies and Gentlemen,

 

I am a PhD student at the Friedrich-Alexander-University Erlangen-Nuremberg
in Bavaria, Germany and am currently working on a forensic reconstruction
tool. The tool can be used to analyze physical and virtual hard disks and to
reconstruct files. I would now like to extend the tool so that it is able to
analyze VMDK files and convert them to raw. Unfortunately I have not been
able to understand how to correctly unpack and assemble VMDK containers.
Since qemu is able to convert VMDK to raw, I wanted to ask you if you could
explain to me how to put the grains together?

 

Many thanks and greetings

Janine Schneider


[-- Attachment #2: Type: text/html, Size: 2653 bytes --]

Re: Convert VMDK to RAW

[Max Reitz]

[-- Attachment #1.1: Type: text/plain, Size: 1951 bytes --]

On 14.11.19 17:12, janine.schneider@fau.de wrote:
> Ladies and Gentlemen,
> 
>  
> 
> I am a PhD student at the Friedrich-Alexander-University
> Erlangen-Nuremberg in Bavaria, Germany and am currently working on a
> forensic reconstruction tool. The tool can be used to analyze physical
> and virtual hard disks and to reconstruct files. I would now like to
> extend the tool so that it is able to analyze VMDK files and convert
> them to raw. Unfortunately I have not been able to understand how to
> correctly unpack and assemble VMDK containers. Since qemu is able to
> convert VMDK to raw, I wanted to ask you if you could explain to me how
> to put the grains together?

Hi,

I’m not quite sure what you mean by a “VMDK container”.  VMDK disk
images can consist of multiple files that are linked together by a
descriptor file.  In theory all you need to do is tell qemu-img to
convert that descriptor file into a raw image.  For example:

(Sorry, I don’t know much about VMware, so all I can do is use qemu
tools to demonstrate)

$ qemu-img create -f vmdk -o subformat=twoGbMaxExtentSparse foo.vmdk 4G
Formatting 'foo.vmdk', fmt=vmdk size=4294967296 compat6=off
hwversion=undefined subformat=twoGbMaxExtentSparse
$ ls
foo-s001.vmdk  foo-s002.vmdk  foo.vmdk
$

In this example, foo.vmdk is the descriptor file and it points to the
other two (data) files:

$ cat foo.vmdk
# Disk DescriptorFile
version=1
CID=6d8d65ed
parentCID=ffffffff
createType="twoGbMaxExtentSparse"

# Extent description
RW 4194304 SPARSE "foo-s001.vmdk"
RW 4194304 SPARSE "foo-s002.vmdk"

# The Disk Data Base
#DDB

ddb.virtualHWVersion = "4"
ddb.geometry.cylinders = "8322"
ddb.geometry.heads = "16"
ddb.geometry.sectors = "63"
ddb.adapterType = "ide"
$


So to convert this VMDK disk image to a raw image, you’d simply do this:

$ qemu-img convert -f vmdk -O raw -p foo.vmdk foo.img
    (100.00/100%)
$

Max


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Convert VMDK to RAW

[Max Reitz]

[-- Attachment #1.1: Type: text/plain, Size: 1889 bytes --]

On 14.11.19 18:39, janine.schneider@fau.de wrote:
> Hello,
> 
> thank you for the quick feedback. I am sorry that I expressed myself so
> unclearly. I don't want to use qemu but want to know how qemu converts vmdk
> to raw. So how exactly is the conversion programmed? How are the sparse
> grains put together to get an uncompressed virtual disk? I am a programmer
> and would like to reimplement this function. I already looked at the qemu
> code, but couldn't figure out how the conversion works.

Oh, OK.  Well, even (or maybe especially) programmers sometimes want to
reuse existing functionality, so I assumed it would be sufficient for
you to just use qemu tools. ;-)  (For example, qemu-nbd allows
presenting a VMDK image as a local block device that you can randomly
access.)

The code to interpret the VMDK format is in block/vmdk.c.  The function
to read an arbitrary guest offset of the disk image is vmdk_co_preadv().
 The conversion just iterates over the whole image and copies everything
read with that function to the output image, so I don’t think you need
to look at anything but block/vmdk.c.

vmdk_open() opens the image and thus parses the description file.  I
suppose (I’m no expert in the VMDK code) of particular interest are
vmdk_parse_extents() and anything that calls vmdk_add_extent().  These
code paths create a list of all extent files.

From a quick look at vmdk_co_preadv(), find_extent() then looks up the
corresponding extent file based on the guest offset;
get_cluster_offset() looks up the file offset in that extent file for
the respective guest offset; and vmdk_read_extent() then reads from the
file at that offset, decompressing the data if necessary.

(Note that
https://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf
probably understands the concepts of VMDK much better than I do *cough*)

Max


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]