Using qemu-img!



About VMXRAY i have already spoken in a previous post.

But if i need to open a Virtual Disk Image with a forensics tool like Autopsy?

Just convert the VMDK file into a format that can be read by Autopsy, using qemu-img utility:

qemu-img convert vmdk original.vmdk -m 16 -p -O raw converted.raw

(-m set the number of thread used, -p displays a progress of the operation)

Quemu-img is a part of Qemu package, that can be installed on Linux (Ubuntu/Debian/Mint) with apt:

apt-get install qemu

On Windows, the tool can be downloaded from this site:


[embed]http://www.teimouri.net/qemu-img-windows/[/embed]

After convertion process ends, you can add the generated RAW file as DataSource on Autopsy and start file carving! :-)