I was looking for an easy way to mount VMDK files on my Linux box so I could do forensic analysis on the images. Similar to how I’ve done things in the past with E01 files. I didn’t really want to image the VM and then analyze it, since most of the time I’m using VM’s for testing.
So this will be short and sweet, but first a couple of caveats:
1) I have not tested this against split VMDK files yet, but I’m thinking it should work.
2) I haven’t even considered testing this against VM snapshot images, but I’m guessing that will not work.
3) You need to have AFFLIB installed and working
sudo apt-get install afflib-tools
That being said, this post was inspired by Sketchymoose’s post…
She talks about downloading the Virtual Disk Development kit, but one item in the post caught my eye:
“I first discovered I had to add the ‘-i aff’ parameter to get mmls to determine the disk structure of the vmdk file.”
I thought hey, there’s affuse!
affuse <vmdk file> /mount/point
ex: affuse windows7.vmdk /mnt/aff
mmls -t dos <mount point>/<vmdk file name>.raw
ex: mmls -t dos /mnt/aff/windows7.vmdk.raw
mount -o ro,loop,show_sys_files,streams_interface=windows,offset=<offset> <mount point>/<vmdk file>.raw /mount/point
ex: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/aff/windows7.vmdk.raw /mnt/windows
And voila! /mnt/windows now contains the file structure of the VMDK image!
I’m sure someone else figured this out, but a google search didn’t come up with anything when I added AFF to the search query (for me at least). So I thought I would share…
Also, keep in mind you can still use the -i AFF with TSK and VMDK images if you don’t need to mount it…