dmmartin13
commented
3 years ago This same approach has been found to be effective for vhdx format disk images as well. These scripts https://gist.github.com/allenyllee/0a4c02952bf695470860b27369bbb60d are a good starting point, but need to be adapted a bit to:
- Mount all partitions
- Expose the underlying /dev/nbd0 device for use by libtsk-based forensic tools like Plaso
Recent attempts to mount vmdk images with version "VMware4 disk image" have failed due to an apparent lack of support from libvmdk. A workaround was found to use qemu-nbd to mount the images in a similar manner to the intermediate mount used by ewfmount. To mount a vmdk image, issue the following commands (using Ubuntu 16.04):
sudo modprobe nbd sudo qemu-nbd -c /dev/nbd0 -r /path/to/image.vmdk sudo imount /dev/nbd0To unmount the nbd device:
sudo qemu-nbd -d /dev/nbd0One issue with the qemu-nbd technique is that there does not appear to be a good way to determine which image is mounted to which /dev/nbd device, but this can be handled through Thumbtack's internal state tracking.