Converting VirtualBox VDI files to raw disk images

A while back for a forensics assignment, I had to complete a task that involved analysing a VirtualBox disk image. I wrote a quick script that converted the VDI image to RAW (.img) format by just stripping out some headers. I knew at the time that it wouldn’t support split images.

It turns out that it only works for really small images too. Apparently larger images (I tested the script with 20MB images, today I had a 20GB image) are compressed in some strange way. Today, after a Windows VM decided to eat four hours of work on me, I wanted to try using Sleuthkit to recover the data, so wanted to get the raw disk image. After examining the image with xxd (and Sleuthkit throwing errors) I concluded that something wasn’t right, and then realised that the 20GB disk image was only a 10GB file. Something was not right.

It turns out that the correct way to do this is to use the VBoxManage tool:

VBoxManage clonehd --format RAW original_file.vdi new_image.img

This trick was found at this guy’s blog (thanks!). It took an age and made my laptop cry while it was working, but in the end Sleuthkit saw the filesystem and I could continue my (eventually futile) quest to recover the data. (Really, if you actually wanted Windows to delete a file that cleanly, it wouldn’t have done it. There was no sign of it on the image. Not even searching the entire thing with strings and grep returned any trace of it. Screw you Windows.)