The evidence is a VM as below. The flat vmdk is the real disk, and the vmdk only 1kb is just a descriptor. As you could see that there is no vmx. What will you do so as to find important clue inside this VM?
Mount that flat vmdk and export disk image? It sounds good but unfortunately forensic tools such as EnCase or FTK could add those vmdk as evidence but could not "see" what's inside the vmdk. Let's see if forensic tools could see another vmdk in my Linux VM. The OS of this vm is CentOS 7. Still got the same error as below.
Now I try to boot up that VM but no vmx...Don't worry VMWare workstation could handle it very well. All I have to do is to create a new vm and use existing flat vmdk file. You could see that the vm is up and running as below.
Wrong Root password??? Of course you have no idea of what the root password is. Go into single user mode and change root password is just a piece of cake. After logining into the vm and you could check disk and volume info.
How to acquire this vm when it's up and running? All you need is a USB storage with enough capacity.
Run dd comand to acquire this vm into external USB storage.
After acquiring successfully the external USB thumb drive is exactly the same as that vm.
Now you could examine and analyze the evidence by using forensic tools you want.
浙公网安备 33010602011771号