Mounting VMDK Image in Linux
Thursday, December 29, 2011 at 6:57PM
This video demonstrates how to mount a VMWare VMDK image file in Linux. The concept would work the same as with a raw image.
In this example we use the SIFT Workstation in a VMWare environment. We also show you how to share a folder on the host with the VM (Virtual Machine). Video includes mmls from the Sleuth Kit, mount utility, VMWare, SIFT Workstation.
Mounting Folder from Host Machine in a Linux VM
To share a folder on the host machine you can go to the VM tab in the VMWare Player’s tool bar then go to settings à options à shared folder à enable and browse for the folder. A Linux VM should mount the folder under /mnt/hgfs. Please not that you can share this folder as a read only folder which is useful for maintaining data integrity.
Viewing VMDK Partitions
You will need the Sleuth Kit for this section. The SIFT Workstation and many other Live CD oriented towards forensics will already have it. If not a simple apt-get install should work.
sudo apt-get install sleuthkit
Once The Sleuth Kit is installed we will use one of its tools called mmls. This utility will list the partition table of a volume or image. The usage is very simple.
sudo mmls imagefile
You will need to note the starting location of the partition you wish to mount. This is its starting sector. The mmls output will tell you the size of the sectors in bytes, this is important to note as well, but is usually 512 bytes.
Mounting the VMDK Partition
Once you have noted the starting sector we can mount the partition. Get out the calculator and multiply the sector that the partition starts on by the size of the sectors in bytes to find the starting offset of the partition.
StartingSector * SectorSize = StartingOffset
Now we can mount the partition using the mount utility.
The actual proper mounting should be the following, please ignore the mount options used in the video.
sudo mount -t ntfs-3g -o ro,loop,show_sys_files,streams_interface=windows,offset=StartingOffset image directory
-o is for mounting options where:
ro – Read onlyloop
loop – loop device (non physical device)
show_sys_files - show NTFS volume metafiles
streams_interface=windows - use alternate data streams
offset= - offset of partition
See http://computer-forensics.sans.org/blog/2011/11/28/digital-forensic-sifting-mounting-ewf-or-e01-evidence-image-files for more on mounting.
Digensics
If you find yourself having trouble with mmls and mounting, check this post out at http://sketchymoose.blogspot.com/2012/02/mounting-e01-and-vmdk-in-linux.html. It has a nice work around.
The Sleuth Kit, VMDK, VMWare Player, image, linux, mmls, mount, mounting in All
Reader Comments (2)
Nice video and great topic to cover.
Why don't you consider ntfs-3g and its options to access ADS and NTFS metafiles in your mount options?
ntfs-3g - Third Generation Read/Write NTFS Driver
streams_interface=value
This option controls how the user can access Alternate Data Streams (ADS) or in other words, named data streams. It can be set to, one of none, windows or xattr. If the option is set to none, the user will have no access to the named data streams. If it is set to windows (not possible with lowntfs-3g), then the user can access them just like in Windows (eg. cat file:stream). If it's set to xattr, then the named data streams are mapped to xattrs and user can manipulate them using {get,set}fattr utilities. The default is xattr.
show_sys_files
Show the metafiles in directory listings. Otherwise the default behaviour is to hide the metafiles, which are special files used to store the NTFS structure. Please note that even when this option is specified, "$MFT" may not be visible due to a glibc bug. Furthermore, irrespectively of show_sys_files, all files are accessible by name, for example you can always do "ls -l '$UpCase'".
-o, --options opts
Options are specified with a -o flag followed by a comma separated string of options.
ro
Mount the filesystem read-only.
The Loop Device
One further possible type is a mount via the loop device. For example, the command
mount /tmp/fdimage /mnt -t vfat -o loop=/dev/loop3
will set up the loop device /dev/loop3 to correspond to the file /tmp/fdimage, and then mount this device on /mnt.
This type of mount knows about four options, namely loop, offset, sizelimit and encryption, that are really options to losetup(8). (These options can be used in addition to those specific to the filesystem type.)
If no explicit loop device is mentioned (but just an option '-o loop' is given), then mount will try to find some unused loop device and use that.
Since Linux 2.6.25 is supported auto-destruction of loop devices and then any loop device allocated by mount will be freed by umount independently on /etc/mtab.
You can also free a loop device by hand, using 'losetup -d' or 'umount -d'.
User Mapping
By default, this mapping is fetched from the file .NTFS-3G/UserMapping located in the NTFS partition. The option usermapping= may be used to define another location. When the option permissions is set and no mapping file is found, a default mapping is used.
Great information justacomment, Thank you for sharing. Very helpful. I would be interested in using that information for another post alone.