« fls, e01, and Timelines…oh my!

Mounting VMDK files in Linux

06Jan13

Hello everyone!

Well it’s been a while since I’ve posted and I apologize for that.  I do have some ideas for posts “in the hopper” but I haven’t had a chance to sit down and really work on them.  I’m hoping with some “life changes” coming up this year I’ll have the opportunity to write more.  But we’ll see.

Anyway, I was looking for an easy way to mount VMDK files on my Linux box so I could do forensic analysis on the images.  Similar to how I’ve done things in the past with E01 files.  I didn’t really want to image the VM and then analyze it, since most of the time I’m using VM’s for testing.

So this will be short and sweet, but first a couple of caveats:

1) I have not tested this against split VMDK files yet, but I’m thinking it should work.

2) I haven’t even considered testing this against VM snapshot images, but I’m guessing that will not work.

3) You need to have AFFLIB installed and working

That being said, this post was inspired by Sketchymoose’s post

She talks about downloading the Virtual Disk Development kit, but one item in the post caught my eye:

“I first discovered I had to add the ‘-i aff’ parameter to get mmls to determine the disk structure of the vmdk file.”

I thought hey, there’s affuse!

Step 1:

affuse <vmdk file> /mount/point

ex: affuse windows7.vmdk /mnt/aff

Step 2:

mmls -t dos <mount point>/<vmdk file name>.raw

ex: mmls -t dos /mnt/aff/windows7.vmdk.raw

Step 3:

mount -o ro,loop,show_sys_files,streams_interface=windows,offset=<offset> <mount point>/<vmdk file>.raw /mount/point

ex: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/aff/windows7.vmdk.raw /mnt/windows

And voila!  /mnt/windows now contains the file structure of the VMDK image!

I’m sure someone else figured this out, but a google search didn’t come up with anything when I added AFF to the search query (for me at least).  So I thought I would share…

Also, keep in mind you can still use the -i AFF with TSK and VMDK images if you don’t need to mount it…

About these ads

Filed under: Uncategorized   |  Comments

8 Responses to “Mounting VMDK files in Linux”

Feed for this Entry Trackback Address
  1. 1 Carlos Cajigas on January 6, 2013 said:

    Well done and easy to follow. Thanks for sharing! Looking very forward to trying it out!

    Reply
  2. 2 jimmyweg on January 7, 2013 said:

    Make your life easy and use Windows!

    Reply
  3. 3 atanok on March 23, 2013 said:

    Ehem…

    guestmount(1)

    Reply
    • 4 atanok on March 23, 2013 said:

      Or rather, vdfuse(1).

      guestmount(1) mounts the filesystems, vdfuse(1) exposes the whole device and any partitions in it much like device nodes in /dev, but as regular files instead of block devices.

      Reply
  4. 5 ramslack on March 24, 2013 said:

    Oooh, hadn’t heard of guestmount before….I’ll have to check it out. Thanks for the info!

    Reply
  5. 6 Alfonso on April 25, 2013 said:

    Hmm is anyone else having problems with the images on
    this blog loading? I’m trying to determine if its a problem on my end or if it’s the blog.
    Any feedback would be greatly appreciated.

    Reply
  6. 8 FL1SK on April 30, 2013 said:

    Just use vmware-mount its much much easier ;-)

    Reply

« fls, e01, and Timelines…oh my!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: