Image Conversion Tools

The "Image Conversion Tools" menu option displays several sub-menu items allowing users to convert images to various formats for processing in other tools. The following capabilities are provided:

 

 

Convert ProDiscover Image to "DD"...

The "Convert ProDiscover Image to "DD"..." option found in the tools menu is an image format conversion utility that allows users to create a UNIX “dd” format image from any ProDiscover® created image. The source ProDiscover® image will be maintained and a new "dd" formatted image will be created as the destination image. Converting images to "dd" format is useful when the user desires to analyze evidence with one of the many tools which support the "dd" format.

 

 

As seen in the image conversion dialog box, users are provided the option to create VMWare(r) support files while converting a ProDiscover formatted image to the UNIX DD format.

VMWare 5 offers users to edit the virtual disk file (*.vmdk) to point to a dd formatted image for use in a VMWare virtual machine. This feature allows user to boot an image collected with ProDiscover for investigations that benefit from seeing and capturing the look-and-feel of the suspect system. When the image conversion is completed, users will have an a DD formatted image (image.dd) and a properly formatted .vmdk file (image.vmdk) pointing to the DD image. The simplest way to use these new files in a VMWare virtual machine is to:

 

  1. Create a new virtual machine in VMWare ensuring that the same image name is given to the virtual disk created by VMWare. If "image" was used for the virtual disk name when creating the virtual machine then the directory containing VMWare files should contain a file named "image.vmdk" after the virtual machine is created.

  2. Copy the newly created ProDiscover image.dd and image.vmdk files to the location the newly created virtual machine files are stored. This process will overwrite the  image.vmdk file created by VMWare with the ProDiscover created image.vmdk file.

  3. Configure VMWare as desired and start the virtual machine.

Note: VMWare is a powerful application with many features for maintaining differential analysis and image snapshots that are beyond the scope of this discussion.

A detailed discussion of the conversion process as well as another tool for conversion can be found at http://www.bschatz.org/2006/p2v/index.html

A detailed white paper on "VMWare Forensic Cloning Methodology can be found at http://www.e5hforensics.com/downloads.htm or http://www.riskadvisory.net/index.php?id=30

   

Convert ProDiscover Image to "ISO"...

When selected the "Convert ProDiscover Image to "ISO"..." option will convert any ProDiscover formatted image to an ISO 9660 Joliet specifications image.  

 

Convert "DD" Image to "ISO"...

When selected the "Convert "DD" Image to "ISO"..." option will convert any "DD" formatted image to an ISO 9660 Joliet specifications image.  

 

VMWare Support for "DD" Images...

The "VMWare Support for "DD" Images..." feature is for use when users who captured an original image in DD format desire to create the *.vmdk file for use in a Virtual Machine as described above. Simply provide the location of the DD formatted image and ProDiscover will create a properly formatted .vmdk file for use in VMWare.