📦 What Is the VDH Parser?
The VDH Parser is a forensic utility developed by Digital Shield Inc. for the secure and scalable archiving of virtual disk evidence files (VHD/VHDX). This tool enables forensic practitioners, incident responders, and litigation support professionals to mount, examine, and compress large virtual disk volumes with forensic integrity—ideal for scalable long-term storage or courtroom presentation.
⚙️ How It Works
1. GUI-Based File Selection:
The tool begins by prompting the user to select a .vhd or .vhdx file via a graphical file picker. The output folder for the archive is also chosen through a user-friendly interface.
2. Secure Mounting with DiskPart:
The script uses Windows DiskPart to mount the selected virtual disk in a read-only mode. It then lists all available volumes on the mounted image, parsing volume ID, drive letter, file system, label, and size.
3. Volume Selection:
After listing all volumes, the user is prompted to select which volume to archive. This ensures precision when dealing with multi-partition virtual disks.
4. 7-Zip Integration for Archival:
Once a volume is selected, the tool invokes 7za.exe to compress the contents using high-compression .7z format. Archives are automatically split into 50GB volumes—ideal for transporting across storage media or legal submission.
5. Logging and Audit Trail:
All archiving activity is logged in archive_log.txt, creating a verifiable chain of custody.
6. Clean Detachment:
After archiving is complete, the script automatically detaches the VHD from the system, ensuring no residual changes are left on the forensic workstation.
🔐 Why It Matters
Forensic Soundness: The script avoids modifying original VHD content by using native Windows volume mounting and archival without write access.
Scalable Export: Automatically chunks output into 50GB segments for easy transport, cloud upload, or DVD/Blu-ray burning.
Chain-of-Custody Ready: Built-in logging preserves a forensic trail of processing steps.
🛠️ Components Included
VHD_Parser.py – The main Python script
7za.exe, 7za.dll, 7zxa.dll – Embedded 7-Zip command-line utilities for compression
launch.bat – Optional launcher for double-click execution
📁 Use Cases
Exporting disk images from virtualized forensic environments (e.g., FTK Imager mounts)
Google Drive Exports to vhdx
Preparing evidence for legal productions
Secure archiving of imaging backups in a defensible format
📌 Requirements
Windows OS (with DiskPart available)
Python 3.x installed
No administrative privileges required (except for disk mounting)
🛡️ Digital Shield Inc. – Leading the Way in Digital Forensics
At Digital Shield, we develop forensic tools that strike the perfect balance between automation, transparency, and courtroom defensibility. The VDH Parser reflects our commitment to empowering investigators with practical, scalable solutions.
For licensing inquiries, forensic training, or implementation support, contact:
📧 consulting@digitalshield.net | 🌐 www.digitalshield.net