Wednesday, September 28, 2011

Forensics Quickie: Mounting Split .vmdk

Introducing FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
You're tasked with examining a VMware virtual disk. On your way to acquire the .vmdk file, you notice that there's not one, but several .vmdk files. A split VM! You know FTK Imager supports mounting .vmdk, so you go ahead and attempt to mount it. But...it only accepts one .vmdk file!

The Solution
Combine those .vmdk files into one, single .vmdk. You can do this with the vmware-vdiskmanager CLI tool that comes with VMware. Simply run the command below and mount the resulting file in FTK Imager. Success!

vmware-vdiskmanager.exe –r theFirstVmdkFile.vmdk –t 0 singleFileResult.vmdk

Thanks to KP for spurring this topic.

-Dan (@4n6k)

References
1. Mahmoud Thoughts - Merge 2GB VMDK files to one single VMDK file

2 comments:

Anonymous said...

Hi,

You can also do that easily with DFF as explained on this blog : http://www.digital-forensic.org/blog/post/7/

davnads said...

Thanks used this today. Worked like a charm. The only part I found that could be more clear is that "theFirstVmdkFile.vmdk " is the snapshot file (e.g. "theFirstVmdkFile- 000001.vmdk").

Post a Comment