Wednesday, September 28, 2011

Forensics Quickie: Mounting Split .vmdk

Introducing FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

You're tasked with examining a VMware virtual disk. On your way to acquire the .vmdk file, you notice that there's not one, but several .vmdk files. A split VM! You know FTK Imager supports mounting .vmdk, so you go ahead and attempt to mount it. only accepts one .vmdk file!

The Solution
Combine those .vmdk files into one, single .vmdk. You can do this with the vmware-vdiskmanager CLI tool that comes with VMware. Simply run the command below and mount the resulting file in FTK Imager. Success!

vmware-vdiskmanager.exe –r theFirstVmdkFile.vmdk –t 0 singleFileResult.vmdk

Thanks to KP for spurring this topic.


1. Mahmoud Thoughts - Merge 2GB VMDK files to one single VMDK file


Anonymous said...


You can also do that easily with DFF as explained on this blog :

davnads said...

Thanks used this today. Worked like a charm. The only part I found that could be more clear is that "theFirstVmdkFile.vmdk " is the snapshot file (e.g. "theFirstVmdkFile- 000001.vmdk").

Anonymous said...

Thank you. For me to get this to work I had to put quotes around the source vmdk. I also selected the last snapshot (here it's 000002) so all changes in the VM were included: vmware-vdiskmanager.exe -r "e:\Windows-000002.vmdk" -t 0 e:\CombinedWindows000002.vmdk

bldcybersecurityltd said...

This information is meaningful and magnificent which you have shared here about the Digital Forensic Investigation service. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. Digital Forensic Investigation service in England

Post a Comment