The case is about suspicious system failure or disruption by unauthorised system update. One of the evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descriptor. As you could see that there is no vmx. What will you do so as to find important clue inside this VM?
Mount that flat vmdk and export disk image? It sounds good but unfortunately forensic tools such as EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk. Let's see if forensic tools could see another vmdk in my Linux VM. The OS of this vm is CentOS 7. Still got the same error as below. You guys could take a look at my blog to see what's going on.
http//
A flat vmdk is already a RAW image.
http//
http//
http//
jaclaz
Hi Jaclaz,
Not that simple. You could use EnCase or FTK to add a Linux vmdk as evidence, and you will know what's going on.
Is it a test VMDK or one from a case?
If the former, I would be interested in having a look at it.
Hi Jaclaz,
Not that simple. You could use EnCase or FTK to add a Linux vmdk as evidence, and you will know what's going on.
EXACTLY that simple.
A flat vmdk is already a RAW image.
You DO NOT mount a RAW image to dd from it a RAW image, it makes NO sense whatsoever.
Of course you CAN do it, still it is a totally unneeded complication and a perfect way to lose time.
IF it is NOT a "flat" vmdk then it is another thing.
jaclaz
Apparently one individual have reading disabilities and need to learn to be quiet.
unfortunately forensic tools such as EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk.
To the OP
Use the proper tools to access VMDK files.
One way is to use this command to mount the VMDK file, then image itvmware-mount X “C\Path\To\File.vmdk”
More info
(Looks like it's part of vSphere Center)
You could also use the diskmount utility, this one is for Linux, but i think i saw one for Windows as well.
Here is an old version for VMWare Workstation 5 you could try
If that doesn't work, get a trial version of Workstation (x64) for 30 days and you'll get the latest tool.
EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk.
Well, i had a similar case last week (on Windows….) and was successful with the free FTK Imager. Just mount the physical disc and all partitions/ logical drives inside get a unique drive letter automatically and are mounted in read-only. AFAIK OSFMount is capable of this, too.
best regards,
Robin
AFAIK OSFMount is capable of this, too.
Yes and no.
OFSmount (like IMDISK) will mount the volume(s), not the PhysicalDrive (whole disk).
Arsenal Image Mounter (same Author as IMDISK) is one tool suitable to mount the whole physicaldrive from a RAW image (or from a flat.vmdk, which is a RAW image) and all kinds of common VM disk formats (including all types of .vmdk's) through the use of discutils library
https://
In many cases there is no need to access "hidden sectors" and "unpartitioned space", but if there is this need, then you need a driver/tool capable of accessing the whole range and not just the partitioned space/volumes.
jaclaz