±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35535
New Yesterday: 5 Visitors: 125

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

VMDK File Listing

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

kastajamah
Senior Member
 

VMDK File Listing

Post Posted: Mar 25, 19 15:16

Does anyone know of a program that will parse a VMDK and then allow me to generate a file listing to a CSV? It will need to include the metadata of the file (MAC dates, etc)  
 
  

mcman
Senior Member
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 15:24

If you have AXIOM, it will do it for you.

Parses out the file system (and artifacts too) from a VMDK and then you can export a file listing from the file system view in CSV. If you just want the file system and no artifacts, just process the case with no artifacts selected, you'll just get the file system then.

Not sure about other tools, I would assume any tool that can support a VMDK should be able to do the file listing though.

Jamie McQuaid
Magnet Forensics  
 
  

kastajamah
Senior Member
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 15:28

I do have AXIOM. The VMDKs are in an L01. I have processed the L01, but it did not parse out the individual VMDKs. Would I have to export the VMDKs and process them outside the L01?  
 
  

mcman
Senior Member
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 15:39

Strange, while we support both L01s and VMDKs, maybe AXIOM isn't liking the fact that it's kind of a container within a container and not treating the VMDK as an image only as a single file. I would try dumping the VMDK out of the L01 and loading it as it's own image. We'll take the VMDK directly as an image.

Jamie  
 
  

mjpetersen
Newbie
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 16:12

You can always use Access Data FTK Imager, which is free. First take the image, the L01, and mount it as a drive. Then using Imager, select to open an Image, and navigate to the VM, and point to the first vmdk file. from there you can right click and make a directory list of the file with MD5 and SHA1 hashes.  
 
  

hommy0
Senior Member
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 16:45

EnCase supports VMDK as an image file, although when it is inside an L01 it cannot be parsed. It would need to be extracted from the L01 and then added as an Evidence File - EnCase can then parse and you will be able to use the "Application Menu" and "Save As" to export a file listing.

If this is a split VMDK - then prior to collection it would need to be merged into one, before adding as an Evidence File.

Regards  
 
  

keydet89
Senior Member
 

Re: VMDK File Listing

Post Posted: Mar 25, 19 18:36

FTK Imager. Add the VMDK as an evidence item, and choose to export a directory listing.

Or, if you need more of the file system metadata, simply export the MFT and parse that.  
 

Page 1 of 2
Page 1, 2  Next