±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36212
New Yesterday: 0 Visitors: 247

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Recovery of a corrupt VMDK

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

nickfx
Senior Member
 

Recovery of a corrupt VMDK

Post Posted: Apr 02, 13 21:58

Hi guys

I've had a VMDK into a US office which is corrupt. The data is all still there (can view the Hex in FTK Imager) but cant get it to mount to recover the data. I need a single folder from the drive, anyone got any ideas? As its remote I can RDP into the machine the file lives on but its too large to pull back to my forensic workstation to try my primary tools. Standard methods to fix the VMDK file haven't worked.

Cheers

Nick  
 
  

jaclaz
Senior Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 00:16

- nickfx
Hi guys

I've had a VMDK into a US office which is corrupt. The data is all still there (can view the Hex in FTK Imager) but cant get it to mount to recover the data. I need a single folder from the drive, anyone got any ideas? As its remote I can RDP into the machine the file lives on but its too large to pull back to my forensic workstation to try my primary tools. Standard methods to fix the VMDK file haven't worked.

Cheers

Nick

Which exact "type" of VMDK is it?
See:
sanbarrow.com/vmdk/disktypes.html

Some ways are possible (or easy/convenient) only on some types (the ones that are actually a dd-like image), such as monolithicFlat (which is a "pure" dd-like image) or similar.

What exactly did you try to mount the image with?
Which OS is running on the machine where the VMDK is?
Have you tried 7-zip, it can normally open (valid) dd-like images.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mscotgrove
Senior Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 00:51

Have you tried data carving?

Carving may help you if the files you want are standard, and the names not important.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

nickfx
Senior Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 01:10

Hi thanks for the replies

1. Its a Sparse image - non-split. Its from an ESXi server. VMWare want $500 to help Smile

2. Data carving would be a last resort, the folder we need is a www folder that contains a Wordpress environment and there will be 1000's files, wouldn't really help.

Thanks mate

Nick  
 
  

jhup
Senior Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 05:14

Have you tried to take a snapshot, and then mount the drive through VM itself?

Presuming the VM instance can be stopped and started, a VM Workstation allows you to mount any VM internal drive through the advanced option under the drive. Thereafter you can access it logically through the host OS.  
 
  

jaclaz
Senior Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 16:03

I presume you can run remotely (through RDP) *any* program.
Try running DMDE:
softdm.com/

Before that,

The monolithicsparse kind of image has an embedded descriptor:
sanbarrow.com/vmdk/dis...thicSparse
written to the 2nd (and part of 3rd) sector, follow the above instructions (or use FTK imager or any hex/disk editor) to extract the descriptor and verify it is correct.

DMDE may be able to access the VMDK as a RAW image and find the filesystem on it, but if the issue is just the descriptor, it may be more logical to try and repair it first.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

darko123
Member
 

Re: Recovery of a corrupt VMDK

Post Posted: Apr 03, 13 16:15

diskinternals VMFS recovery
support remote, ESXi server...  
 

Page 1 of 2
Page 1, 2  Next