VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.
Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.
Mount TYPE is PHYSICAL.
Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav
Next navigate to http://localhost:50080/vmf and you should see VMDK files you were after.
Correction: I forgot to put an "s" at the end of the above address. The correct address would be http://localhost:50080/vmfs Thanks Tim for pointing this out.
The world isn't perfect though and you may run into a couple of problems:
You may get an error similar to this:
Exception in thread "main" java.io.IOException: VMFS FDC base not found
There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.
There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.
vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.
In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l
The above shows that the vmfs file system is located on /dev/sdb3
The next command is to mount VMware VMFS partition:
mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/system
and see what's inside.... ls -alh
I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.
P.S. Paul Henry did a good write-up on a similar subject here.