Open a VMWare Disk Image (VMDK) with Autopsy for forensics analisys
About VMXRAY i have already spoken in a previous post.
But if i need to open a Virtual Disk Image with a forensics tool like Autopsy?
Just convert the VMDK file into a format that can be read by Autopsy, using qemu-img utility:
qemu-img convert vmdk original.vmdk -m 16 -p -O raw converted.raw
(-m set the number of thread used, -p displays a progress of the operation)
Quemu-img is a part of Qemu package, that can be installed on Linux (Ubuntu/Debian/Mint) with apt:
apt-get install qemu
On Windows, the tool can be downloaded from this site:
After convertion process ends, you can add the generated RAW file as DataSource on Autopsy and start file carving! :-)