In this article, we will explore the Apple virtual disk, DMG, and how to convert it to useful formats depending on your needs.
Disk Images can be made in utilizing many different formats. The most common format that works across all of the analysis suites and utilities is the raw format created from the command line utility ‘dd’ or the variants. The Mac operating system is able to directly work with a raw image created with ‘dd’ as long as the imaged system is a file system normally recognized by OS X and the image file has the “.dmg” extension added to it.
On the Mac, it is possible to create disk images in varying formats as well. The DMG has been a staple virtual disk used by Apple and other companies to distribute software for many years. The format of the DMG that is utilized for these DMGs is usually a compressed DMG. This format allows for a smaller file to be distributed, yet, when virtually mounted as a disk, it will present itself as the original size that the user had created. For instance, I can create a 10GB compressed DMG and when it is mounted, it will show in the Finder as having approximately 10GB of free space available.
Disk Image Mounted in Finder
Yet, when I eject the virtual disk and perform a Get Info on the DMG file itself, the file size will be 183K on a blank disk.
Get Info Window of Disk Image File
Compressed DMG files are not supported by forensic applications, and for good reason. There is little reason to use this format when imaging for forensic purposes. A compressed DMG will not contain unallocated space or slack space as we would expect it. It will simulate it when the disk is mounted, but the data that was actually contained in unallocated space on the original item is lost if a compressed DMG is used or converted to at any time.
A compressed DMG would have application for the storage of file collection, however. During a collection, a person may be charged with the collection of a user’s home folder and nothing more. A compressed DMG is a perfect container file for this. The file can easily be created during the collection and locked as soon as the collection is finished. Yet, as mentioned earlier, the compressed DMG will not be useful within forensic applications. Forensic applications expect the DMG file to be in the uncompressed format. Conversion of the virtual disk file is easily accomplished via the command line, or the Disk Utility application. First, we will look at the command line. A simple, one line command will convert a compressed DMG to an uncompressed DMG:
hdiutil convert /path/to/your/image.dmg -format UDRO -o /path/to/destination/name_of_new_file.dmg
Remember that running this command will output a file that is exactly as large as the original device imaged. The compression is removed. In other words, make certain your destination has enough free space to accommodate the new DMG file.
You can also query a DMG file for its type via this command:
hdiutil image info /path/to/your/image.dmg
This conversion can also be accomplished in Disk Utility. In this application, simply click on the “Convert” button on the button bar. This will bring up a file navigation dialog box. Select the DMG you wish the convert. Second, you will be presented a destination file dialog with the options for the new DMG file. Make certain you choose Read-Only or Read/Write in the Image Format pull-down menu.
Disk Utility DMG Convert Output choices
After creating your converted image, be certain to apply the Finder lock to preserve the contents from inadvertent changes.