Converting Parallels Disks to Raw on OS X

Update: See the forensic focus article: http://articles.forensicfocus.com/2012/07/05/parallels-hard-drive-image-converting-for-analysis/


Update: I have had problems with this method leading to corruption / being unreliable. Backup all your data before you attempt this.

We do quite a bit with parallels, and commonly want to copy a virtual disk for analysis. If you come across a machine with parallels disks, how do you copy a usable image file out? Parallels is set to use expanding disks by default, which are apparently compressed. Digfor talks about finding parallels on a Windows machine, and how to convert the disk. I will just cover the process on OS X (very similar).

Edit (7-12): An easier and faster way is to use 'qemu-img'. I might try to create a how-to on it in the future, but it is pretty straightforward.

Essentially we want to locate the .hds file. In Mac the image is usually in the .pvm package (unless location was manually specified).

• Right click on the .pvm file, and click "Show Package Contents".


• Move the .hds file to the .pvm directory


• Rename the .hds file to OS.hdd (OS can be whatever is meaningful to you)


• Open 'Applications/Parallels/Parallels Image Tool'


• Choose the new disk image "OS.hdd"


• Choose "Convert to plain disk"


• Note: This will expand the disk to its "true" size. Make sure your drive is big enough


• The converted disk is once again called OS.0.{###}.hds


• The resulting file is now raw


img_stat ~/Documents/Parallels/Windows\ Server\ 2003.pvm/Windows\ Server\ 2003.hdd/Windows\ Server\ 2003.hdd.0.\{5fbaabe3-6958-40ff-92a7-860e329aab41\}.hds
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 8590675968


Note: You can also use Parallels Image Tool to split and combine the image file - though dd gives you more options.