Notifications
Clear all

VMDK File Listing

10 Posts
6 Users
0 Likes
4,149 Views
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
Topic starter
 

Does anyone know of a program that will parse a VMDK and then allow me to generate a file listing to a CSV? It will need to include the metadata of the file (MAC dates, etc)

 
Posted : 25/03/2019 2:16 pm
(@mcman)
Posts: 189
Estimable Member
 

If you have AXIOM, it will do it for you.

Parses out the file system (and artifacts too) from a VMDK and then you can export a file listing from the file system view in CSV. If you just want the file system and no artifacts, just process the case with no artifacts selected, you'll just get the file system then.

Not sure about other tools, I would assume any tool that can support a VMDK should be able to do the file listing though.

Jamie McQuaid
Magnet Forensics

 
Posted : 25/03/2019 2:24 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
Topic starter
 

I do have AXIOM. The VMDKs are in an L01. I have processed the L01, but it did not parse out the individual VMDKs. Would I have to export the VMDKs and process them outside the L01?

 
Posted : 25/03/2019 2:28 pm
(@mcman)
Posts: 189
Estimable Member
 

Strange, while we support both L01s and VMDKs, maybe AXIOM isn't liking the fact that it's kind of a container within a container and not treating the VMDK as an image only as a single file. I would try dumping the VMDK out of the L01 and loading it as it's own image. We'll take the VMDK directly as an image.

Jamie

 
Posted : 25/03/2019 2:39 pm
mjpetersen
(@mjpetersen)
Posts: 12
Active Member
 

You can always use Access Data FTK Imager, which is free. First take the image, the L01, and mount it as a drive. Then using Imager, select to open an Image, and navigate to the VM, and point to the first vmdk file. from there you can right click and make a directory list of the file with MD5 and SHA1 hashes.

 
Posted : 25/03/2019 3:12 pm
(@hommy0)
Posts: 98
Trusted Member
 

EnCase supports VMDK as an image file, although when it is inside an L01 it cannot be parsed. It would need to be extracted from the L01 and then added as an Evidence File - EnCase can then parse and you will be able to use the "Application Menu" and "Save As" to export a file listing.

If this is a split VMDK - then prior to collection it would need to be merged into one, before adding as an Evidence File.

Regards

 
Posted : 25/03/2019 3:45 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

FTK Imager. Add the VMDK as an evidence item, and choose to export a directory listing.

Or, if you need more of the file system metadata, simply export the MFT and parse that.

 
Posted : 25/03/2019 5:36 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
Topic starter
 

Thank you everyone who has replied and will reply. I will try the different methods and leave a post regarding what I did.

Thanks again.

 
Posted : 25/03/2019 5:44 pm
(@gsibat)
Posts: 12
Active Member
 

In EnCase choose 'Add evidence' or drag and drop the VMDK into EnCase. when you access the device in the entries view. In the top right corner of the Table pane you will see a hamburger symbol, which when you click upon it, will give you the option to Save As. The Save As option will then show you all the fields that represent the columns of the table pane. Choose which fields you want and save in whichever format you want.

 
Posted : 25/03/2019 11:32 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
Topic starter
 

Hey all,

Thanks again for the help. I thought I would post my results. FTK Imager did kick out a file listing of the VMDKs. I did not run a hash within FTK Imager, so there were no MD5's in the file listing I generated.

With EnCase, I brought the VMDKs in as an image file. I processed them to include hashing the files, and then generated the file listing with the MD5 hash.

I have not done this with AXIOM yet. I agree with @mcman that exporting the VMDKs out of the L01 I had would be necessary. But something of note, it did process out the artifacts in the VMDKs when I processed them in AXIOM, but it would not let me generate a file listing for them individually. This might be due to the "container within a container" manner of the L01 of the VMDKs.

Thanks again to everyone for the suggestions.

Kastajamah

 
Posted : 27/03/2019 3:08 pm
Share: