Difference between pages "Regripper" and "VMWare Virtual Disk Format (VMDK)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(RegRipper)
 
(Image types)
 
Line 1: Line 1:
== RegRipper ==
+
{{expand}}
  
RegRipper is an open source forensic software application developed by [[Harlan Carvey]]. RegRipper, written in Perl, is a [[Windows Registry]] data extraction tool.
+
== Image types ==
 +
There are multiple types of VMWare Virtual Disk Format (VMDK) files:
 +
* '''2GbMaxExtentFlat''' (or '''twoGbMaxExtentFlat'''); descriptor file (name.vmdk) with RAW extent data files (name-f###.vmdk). This image type is basically a [[Raw Image Format|split RAW image]].
 +
* '''2GbMaxExtentSparse''' (or '''twoGbMaxExtentSparse'''); descriptor file (name.vmdk) with VMDK sparse extent data files (name-s###.vmdk)
 +
* '''monolithicSparse'''; VMDK sparse extent data file (name.vmdk) which contains the descriptor file data.
  
RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.
+
== Descriptor file ==
 +
The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.
  
== Technical Background and Forensic Soundness ==
+
== Extent data file types ==
 +
There are multiple types extent data files:
 +
* RAW extent data file or device
 +
* VMDK sparse extent data file
 +
* COWD sparse extent data file
  
RegRipper uses James McFarlane’s Parse::Win32Registry module ([http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.40/]) to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.
+
== External Links ==
 +
* [http://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf?src=vmdk Virtual Disk Format 5.0], by [[VMWare]]
  
== Resources: ==
+
[[Category:File Formats]]
 
+
* RegRipper Blog [(http://www.regripper.wordpress.com)]
+
* RegRipper Original Code and supporting information [(http://code.google.com/p/winforensicaanalysis/)]
+
* RegRipper Supplemental Plugins [(http://code.google.com/p/regripperplugins/)]
+
* Developers blog (Windows Incident Response) [(http://windowsir.blogspot.com/)]
+

Revision as of 11:51, 22 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

Image types

There are multiple types of VMWare Virtual Disk Format (VMDK) files:

  • 2GbMaxExtentFlat (or twoGbMaxExtentFlat); descriptor file (name.vmdk) with RAW extent data files (name-f###.vmdk). This image type is basically a split RAW image.
  • 2GbMaxExtentSparse (or twoGbMaxExtentSparse); descriptor file (name.vmdk) with VMDK sparse extent data files (name-s###.vmdk)
  • monolithicSparse; VMDK sparse extent data file (name.vmdk) which contains the descriptor file data.

Descriptor file

The descriptor file defines how and where the data of the VMDK image is stored. The data is stored in extent data files.

Extent data file types

There are multiple types extent data files:

  • RAW extent data file or device
  • VMDK sparse extent data file
  • COWD sparse extent data file

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Regripper&oldid=11813"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox