Tuesday, June 20, 2017

Virtualization of a raw image of an Apple OS X system

Years ago Jimmy Weg wrote an awesome blog post on how to create a VMware virtual machine from a raw image file. This is my follow-up on how to virtualize Apple Mac OS X.

Bear in mind that, according to this article in the VMware Knowledge Base: The End User License Agreement (EULA) for Apple Mac OS X legally and explicitly binds the installation and running of the operating system to Apple-labeled computers only.

Having said that, these are the steps to follow.

  1. WinVMDKCreator (the tool was developed by Dana McNeil and was originally available on Jimmy Weg's blog) 
  2. VMware Workstation (this guide was tested against version 12 Pro)
  3. Patch Tool for VMware (see Install Patch Tool for VMware in the article available here). The two pictures below show the difference before and after installing the patch.


#Step 1
Open the raw image with your favorite tool. The following picture shows a Mac mini A1347 I imaged during an investigation. Strangely no encryption was set on that Mac. I haven't tried yet with an encrypted image. I guess you can skip to #Step 3 in that case.

#Step 2
Check which OS X version was installed by looking at the .plist SystemVersion.plist.

In my case the Mac mini was running Mac OS X 10.12 (macOS Sierra).

#Step 3
Launch the WinVMDKCreator tool. Select the image to virtualize under File Data. Tick Set disk image segment file attributes to Read Only. Then press Generate to create the .vmdk file.

#Step 4
Edit with a text editor the .vmdk file just created. Change the value of ddb.virtualHWVersion according to the version used of VMware Workstation.

For instance, if you're using VMware Workstation 12: ddb.virtualHWVersion = "12"

#Step 5
Launch VMware Workstation. From File choose New virtual machine (custom) and set these settings:

Hardware compatiblity Workstation 12.x
Guest Operating System Installation I will install the operating system later
Select a Guest Operating System Apple Mac OS X
Virtual machine name/Location whatever you prefer
Firmware Type EFI (default setting)
Processor Configuration (default settings)
Memory for the Virtual Machine increase to 4096 MB
Network Type Do not use a network connection
SCSI Controller LSI Logic (default setting)
Virtual disk type SATA (default setting)
Select a Disk Use an existing virtual disk
Existing Disk File Click Browse and Open the .vmdk file we previously created with WinVMDKCreator

Click Finish and close VMware Workstation.

#Step 6
Use a text editor to modify the <VirtualMachineName>.vmx file stored in the VM folder.

Append this line at the end of the file:

smc.version = "0"

Without the line above, the VM won't start and will show an error message saying "unrecoverable error: (vcpu-0)".

#Step 7
  • Launch VMware Workstation
  • Take a snapshot of the VM
#Step 8
Now you're ready to fire up the VM!