Pages

Wednesday, September 28, 2011

Forensics Quickie: Mounting Split .vmdk

Introducing FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.

Scenario
You're tasked with examining a VMware virtual disk. On your way to acquire the .vmdk file, you notice that there's not one, but several .vmdk files. A split VM! You know FTK Imager supports mounting .vmdk, so you go ahead and attempt to mount it. But...it only accepts one .vmdk file!

The Solution
Combine those .vmdk files into one, single .vmdk. You can do this with the vmware-vdiskmanager CLI tool that comes with VMware. Simply run the command below and mount the resulting file in FTK Imager. Success!

vmware-vdiskmanager.exe –r theFirstVmdkFile.vmdk –t 0 singleFileResult.vmdk

Thanks to KP for spurring this topic.

-4n6k

References
1. Mahmoud Thoughts - Merge 2GB VMDK files to one single VMDK file

4 comments:

Anonymous said...

Hi,

You can also do that easily with DFF as explained on this blog : http://www.digital-forensic.org/blog/post/7/

davnads said...

Thanks used this today. Worked like a charm. The only part I found that could be more clear is that "theFirstVmdkFile.vmdk " is the snapshot file (e.g. "theFirstVmdkFile- 000001.vmdk").

Anonymous said...

With havin so much content and articles do you ever run into any issues of plagorism or
copyright violation? My site has a lot of exclusive content
I've either written myself or outsourced but it seems a lot of it
is popping it up all over the internet without my permission.
Do you know any solutions to help prevent content from being ripped
off? I'd certainly appreciate it.

Anonymous said...

Thank you. For me to get this to work I had to put quotes around the source vmdk. I also selected the last snapshot (here it's 000002) so all changes in the VM were included: vmware-vdiskmanager.exe -r "e:\Windows-000002.vmdk" -t 0 e:\CombinedWindows000002.vmdk

Post a Comment