Creating disk images and virtual hard disks can be super useful for testing, which I’ll demonstrate in a future post (that I’ve mostly written, but needed this one to go out beforehand!)

I wrote this a while back, and have finally gotten around to posting it!

A while back on the DFIR Sub Reddit, someone wanted to do some file carving testing and asked about how to wipe a USB drive and verify the wipe. That’s all good, and a simple thing to do, but sometimes it’s just easier to create a disk image on your operating system of choice to perform similar testing. 

This post will cover using the disk image features of Windows and macOS to create to create Virtual Hard Disks/Disk Images. This is super useful when testing out file system operations in a “clinical” setting and preserve them for later. Most forensic tools seem to have no issues with interacting with virtual hard disk formats too, so that’s pretty cool.

Windows

Microsoft provides instructions on how to do this is within Disk Management here.

I originally had created screenshots of the process, but then I thought PowerShell is probably a much better option. And Microsoft has instructions on this too!

Something they don’t specifically mention is that you need to enable the Hyper-V management PowerShell module, and Hyper-V Platform –> Hyper-V-Services under Windows Features. 

I’d slightly change the example given in the documentation. Only because I’d want a small fixed disk to use for testing.

$vhdpath = "C:\VHDX\Test.vhdx"
$vhdsize = 1GB
New-VHD -Path $vhdpath -Fixed -SizeBytes $vhdsize | Mount-VHD -Passthru |Initialize-Disk -Passthru |New-Partition -AssignDriveLetter -UseMaximumSize |Format-Volume -FileSystem NTFS -Confirm:$false -Force

macOS

macOS has a similar function, and you can use the Disk Utility application to create a disk image. Apple has instructions here.

If you want to use the Terminal commands to create a DMG, the below command will show all of the options.

hdiutil create -help

The command to make a quick APFS DMG is shown below, and there are a variety of other file systems that can be created.

hdiutil create -size 1GB -fs APFS -volname test test.dmg

Overall this is super useful to test things, especially if you want to share your test data with other people. It’s very quick to setup, and if you plan on sharing your data then you don’t have to worry about anything other than the data that you’ve created.