Saturday, April 2, 2011

Accessing VMFS partitions


VMware VMFS is VMware Virtual Machine File System with is used by VMware ESX and ESXI servers to store virtual machine disk images (.VMDK) and snapshots. The VMDK (Virtual Machine Disk) files are equivalent to the real hard drives, except they are virtual. Many forensic tools, including EnCase can analyse VMware (.vmdk) data files or mount them (FTK Imager, Mount Imager Pro etc.). The problem is getting VMDK files out of VMFS without ESX or ESXI infrastructure. There are several solutions to this problem.

Open Source VMFS Driver was written by fluidOps in Java; it's free and allows read-only access to files located on VMFS partitions by utilising many operating systems including Windows. Java version 6 is required to run it. All you needed is to mount E01 image containing VMFS partition with your favourite tool. I used to love Mount Image Pro and Smart Mount, but people change. I am using FTK Imager v3 now for obvious reasons; it doesn't cost me anything and no pain with dongles or registrations.


Mount TYPE is PHYSICAL.

























Running the following command should get you into the partition via webdav interface C:\vmfs_r95>java -jar fvmfs.jar \\.\PhysicalDrive4 webdav


Next navigate to http://localhost:50080/vmf and you should see VMDK files you were after.
Correction: I forgot to put an "s" at the end of the above address. The correct address would be http://localhost:50080/vmfs Thanks Tim for pointing this out.

The world isn't perfect though and you may run into a couple of problems:


Problem 1:
You may get an error similar to this:
Exception in thread "main" java.io.IOException: VMFS FDC base not found
at com.fluidops.tools.vmfs.VMFSDriver.openVmfs(VMFSDriver.java:1180)
at com.fluidops.tools.vmfs.VMFSTools.cli(VMFSTools.java:225)
at com.fluidops.tools.vmfs.VMFSTools.main(VMFSTools.java:492)


Problem 2:
There are several partitions inside your E01 image; some of them could be FAT12 "Hypervisor" partitions, which is enough for fluidOps driver to give up on you.

There are several ways of getting inside however. In my case I happened to have VMware Workstation installed on my machine and one of the guest OS was Ubuntu 10.10. I have added Hard Disk (PhysicalDrive4) to my Linux guest OS and started it.



















vmfs-tools is yet another tool, which is "originally loosely based on the vmfs code from fluidOps" and allows read only access to VMFS file systems from non ESX/ESXi hosts.

In Linux I installed vmfs-tools by running: sudo apt-get install vmfs-tools and typed the following command: sudo fdisk –l
















The above shows that the vmfs file system is located on /dev/sdb3
 

The next command is to mount VMware VMFS partition:
mkdir /home/a/Desktop/system and vmfs-fuse /dev/sdb3 /home/a/Desktop/system
and see what's inside.... ls -alh



















I then connected (1TB USB Seagate Freeagent GO) to the virtual machine and copied the files for further analysis. DONE.


P.S. Paul Henry did a good write-up on a similar subject  here.

4 comments:

labgeek said...

A colleague and I wrote about it as well (from a forensics perspective) - it can be found in the Digital Forensics Magazine or locally here (http://vmforensics.org/?p=4)

ecophobia said...

Good read, thanks.

Om said...

I need to access VMFS partation of ESX which was created using RAID 1 or 0, I have a couple of VM and need to retrive these VM's. The RAID controller has failed and system is unable to boot.

I tried connecting ona Ubuntu system with vmfs-tools. i am unable to see the drive.

When I installed the Ubuntu OS fdisk -l showed the below.

Device Boot Start End Blocks Id System
/dev/sde1 * 2048 964268031 482132992 83 Linux
/dev/sde2 964270078 972650495 4190209 5 Extended
/dev/sde5 964270080 972650495 4190208 82 Linux swap / Solaris

When I connected the Raid drive, fdisk -l was showing as below.
Device Boot Start End Blocks Id System
/dev/sdf1 * 2048 964268031 482132992 83 Linux
/dev/sdf2 964270078 972650495 4190209 5 Extended
/dev/sdf5 964270080 972650495 4190208 82 Linux swap / Solaris

ecophobia said...

Hello.
From what you told it is difficult to understand what the problem is to be honest. RAID 1 is just a mirror and all you have to do is mount one of the partition you need with vmfs-fuse. For RAID 0 you obviously need both parts. Perhaps you need to use Disk Internals tool which now supports vmfs. Let me know if that's what you after or you need further help.
Here is the link:
http://www.diskinternals.com/vmfs-recovery/