Is it possible to r...
 
Notifications
Clear all

Is it possible to recover a deleted virtual machine?

3 Posts
3 Users
0 Likes
753 Views
(@tombye85)
Posts: 3
New Member
Topic starter
 

I am investigating the subject of data recovery from virtual machines for a Uni project. I can successfully recover data from a live acquisition of a VM. Recover data from a closed VM imaged via a dock and E01. Now i am trying to find a way to recover a deleted virtual machine. I can see the deleted files which create the VM using encase. Unfortunately the files found have different sizes and the flat.vmdk file comes back as unrecoverable using one tool and in all tools tried it comes back with a size of 0.

I have also got a .vmem file from the deleted VM which i could recover. If i am right in my research this is a page file and can store data but it is not viewable using a archive viewer or hex viewer so is it possible to recover data from these files?

The main question i am struggling with is if it is actually possible to recover a deleted virtual machine. seen lots of different answers but would like to know if any one has actually done this?

Thank you for your time

Tom

 
Posted : 03/03/2016 5:45 am
(@bithead)
Posts: 1206
Noble Member
 

If you knew information about the header and footer, say if it was published in a specification, you could potentially carve the file manually in a hex editor.

https://articles.forensicfocus.com/2015/11/11/virtual-hard-disk-image-format-a-forensic-overview/

https://www.vmware.com/support/developer/vddk/vmdk_50_technote.pdf

http//download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc

 
Posted : 03/03/2016 6:24 am
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

I doubt that it would normally be possible to recover a deleted VM to the extent necessary to boot it and get data out that way, so you are down to working with those files available to you. As .vmem is equivalent to pagefile, you would not necessarily expect to get lots of useful data out of it - this should only be present if the machine is/was running (and/or crashed or wasn't shutdown gracefully) so you should be clear about what you might expect or hope to get out of your VMEM.

FWIW FTK will certainly process virtual machine related files e.g. VMDK like any other hard disk / data container.

 
Posted : 07/03/2016 3:25 pm
Share: