Open a VMWare Disk Image (VMDK) with Autopsy for forensics analisys

Using qemu-img!

About VMXRAY i have already spoken in a previous post.

But if i need to open a Virtual Disk Image with a forensics tool like Autopsy?

Just convert the VMDK file into a format that can be read by Autopsy, using qemu-img utility:

qemu-img convert -f vmdk original.vmdk -O raw converted.raw

Quemu-img is a part of Qemu package, that can be installed on Linux (Ubuntu/Debian/Mint) with apt:

apt-get install qemu

On Windows, the tool can be downloaded from this site:

QEMU disk image utility for Windows

After convertion process ends, you can add the generated RAW file as DataSource on Autopsy and start file carving! 🙂


This site uses Akismet to reduce spam. Learn how your comment data is processed.