Linux: Mounting VMDK files in Linux – AFFLIB

I was looking for an easy way to mount VMDK files on my Linux box so I could do forensic analysis on the images. Similar to how I’ve done things in the past with E01 files. I didn’t really want to image the VM and then analyze it, since most of the time I’m using VM’s for testing.

So this will be short and sweet, but first a couple of caveats:

1) I have not tested this against split VMDK files yet, but I’m thinking it should work.

2) I haven’t even considered testing this against VM snapshot images, but I’m guessing that will not work.

3) You need to have AFFLIB installed and working

sudo apt-get install afflib-tools

That being said, this post was inspired by Sketchymoose’s post…

She talks about downloading the Virtual Disk Development kit, but one item in the post caught my eye:

“I first discovered I had to add the ‘-i aff’ parameter to get mmls to determine the disk structure of the vmdk file.”

I thought hey, there’s affuse!

Step 1:

affuse <vmdk file> /mount/point

ex: affuse windows7.vmdk /mnt/aff

Step 2:

mmls -t dos <mount point>/<vmdk file name>.raw

ex: mmls -t dos /mnt/aff/windows7.vmdk.raw

Step 3:

mount -o ro,loop,show_sys_files,streams_interface=windows,offset=<offset> <mount point>/<vmdk file>.raw /mount/point

ex: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/aff/windows7.vmdk.raw /mnt/windows

And voila! /mnt/windows now contains the file structure of the VMDK image!

I’m sure someone else figured this out, but a google search didn’t come up with anything when I added AFF to the search query (for me at least). So I thought I would share…

Also, keep in mind you can still use the -i AFF with TSK and VMDK images if you don’t need to mount it…

By: ramslack