This is the situation.
I have a windows 2003 server that is a virtual guest on an ESX 3.5 server. The ESX server is connected to a Lefthand iSCSI SAN that has a 2TB volume that is type VMFS 3.31. Several VMWare snap shot of the server had taken last week. After about 7 days an attempt was made at deleting some of these snapshots and this resulted in an error. Support was called and the only way to reboot the server was to rename the server-000001.vmdk and server-000001-delta.vmdk files. It was then found the next day that the server had rolled back 7 days with the loss of a weeks of work. It was also discovered that the normal backups were also failing.
We made a clone of the lefthand volume and connected Read only, using a workstation loaded with an iSCSI initiator and running WINHEX. I can see the remnants of the deleted vmdk and deltas files and the data in them.
I’m thinking I need to carve out the vmdk by looking for their header information or maybe I should image the volume and load it up in FTK. What is the best way to recovery the data and possible the NTFS file structure from these deleted vmdk files on the VMFS volume? Does anyone know the header and trailer informatino for a snapshot or delta vmdk?
Thank you,