Hi guys
I've had a VMDK into a US office which is corrupt. The data is all still there (can view the Hex in FTK Imager) but cant get it to mount to recover the data. I need a single folder from the drive, anyone got any ideas? As its remote I can RDP into the machine the file lives on but its too large to pull back to my forensic workstation to try my primary tools. Standard methods to fix the VMDK file haven't worked.
Cheers
Nick
Hi guys
I've had a VMDK into a US office which is corrupt. The data is all still there (can view the Hex in FTK Imager) but cant get it to mount to recover the data. I need a single folder from the drive, anyone got any ideas? As its remote I can RDP into the machine the file lives on but its too large to pull back to my forensic workstation to try my primary tools. Standard methods to fix the VMDK file haven't worked.
Cheers
Nick
Which exact "type" of VMDK is it?
See
http//
Some ways are possible (or easy/convenient) only on some types (the ones that are actually a dd-like image), such as monolithicFlat (which is a "pure" dd-like image) or similar.
What exactly did you try to mount the image with?
Which OS is running on the machine where the VMDK is?
Have you tried 7-zip, it can normally open (valid) dd-like images.
jaclaz
Have you tried data carving?
Carving may help you if the files you want are standard, and the names not important.
Hi thanks for the replies
1. Its a Sparse image - non-split. Its from an ESXi server. VMWare want $500 to help )
2. Data carving would be a last resort, the folder we need is a www folder that contains a Wordpress environment and there will be 1000's files, wouldn't really help.
Thanks mate
Nick
Have you tried to take a snapshot, and then mount the drive through VM itself?
Presuming the VM instance can be stopped and started, a VM Workstation allows you to mount any VM internal drive through the advanced option under the drive. Thereafter you can access it logically through the host OS.
I presume you can run remotely (through RDP) *any* program.
Try running DMDE
http//softdm.com/
Before that,
The monolithicsparse kind of image has an embedded descriptor
http//
written to the 2nd (and part of 3rd) sector, follow the above instructions (or use FTK imager or any hex/disk editor) to extract the descriptor and verify it is correct.
DMDE may be able to access the VMDK as a RAW image and find the filesystem on it, but if the issue is just the descriptor, it may be more logical to try and repair it first.
jaclaz
diskinternals VMFS recovery
support remote, ESXi server…
I second Diskinternals VMFS Recovery. Used the product on one occasion; no surprises, works as advertised. Here's the link http//
I would try using 'winimage' it is a create tool when working with VMDKs and VHDs. You can find it here. http//
Well, this is an antique thread that andrew001 woke up so he could SPAM his software into it.
But, since I'm now reading this for the first time, one program I would recommend for VMDK recovery is Recovery Explorer Professional (
It's the only one I know of that can scan a drive, recognize the VMFS file system from an ESXi drive or RAID, browse it, find a VMDK file and then mount and recover files out from inside of the VMDK. Let's see this other spammy software do that.
I've not been impressed with any other program that supports VMDK recovery despite trying pretty much everything at some point.
