![]() ![]() I’m sure someone else figured this out, but a google search didn’t come up with anything when I added AFF to the search query (for me at least). ![]() Mount -o ro,loop,show_sys_files,streams_interface=windows,offset= /.raw /mount/pointĮx: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/aff/ /mnt/windowsĪnd voila! /mnt/windows now contains the file structure of the VMDK image! “I first discovered I had to add the ‘-i aff’ parameter to get mmls to determine the disk structure of the vmdk file.”Įx: mmls -t dos /mnt/aff/ She talks about downloading the Virtual Disk Development kit, but one item in the post caught my eye: That being said, this post was inspired by Sketchymoose’s post… So this will be short and sweet, but first a couple of caveats:ġ) I have not tested this against split VMDK files yet, but I’m thinking it should work.Ģ) I haven’t even considered testing this against VM snapshot images, but I’m guessing that will not work.ģ) You need to have AFFLIB installed and working I didn’t really want to image the VM and then analyze it, since most of the time I’m using VM’s for testing. Similar to how I’ve done things in the past with E01 files. ![]() VMDK virtual disk file stores the contents of the virtual machines hard disk drive. I was looking for an easy way to mount VMDK files on my Linux box so I could do forensic analysis on the images. The vmdk file extension is used for virtual disk files - virtual partition with data and installed operating system (Microsoft Windows, Linux, Mac OS X (macOS), MS-DOS etc.) created and used by VMware to run as a virtual machine (under host operating system). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |