Open a VMWare Disk Image (VMDK) with Autopsy for forensics analisys

Using qemu-img!


About VMXRAY i have already spoken in a previous post.

But if i need to open a Virtual Disk Image with a forensics tool like Autopsy?

Just convert the VMDK file into a format that can be read by Autopsy, using qemu-img utility:

qemu-img convert -f vmdk original.vmdk -O raw converted.raw

Quemu-img is a part of Qemu package, that can be installed on Linux (Ubuntu/Debian/Mint) with apt:

apt-get install qemu

On Windows, the tool can be downloaded from this site:

http://www.teimouri.net/qemu-img-windows/

After convertion process ends, you can add the generated RAW file as DataSource on Autopsy and start file carving! 🙂

Comments