Cannot determine VMDK file system type

Autopsy Help
1

Troubleshooting a Data Source problem when importing a VMDK file into Autopsy.

Steps to failure:

  1. I’ve pulled this image from an ESXI host which took the snapshot.

  2. I’ve imported this to “Disk Image or VM file”

  3. Default selected all ingest modules

I think it could be a potentially bad VMDK (though I think this isn’t the case as the SHA265 hash came back the same as the original snapshot file) but I want someone to provide some guidance as to what’s causing this error…

VMDK_support
VMDK_support878×546 21.2 KB

2

Have you tried to mount the .vmdk to inspect it? What does the .vmdk look like in a hex viewer? ie. Below is sample output via ‘hexdump -C <filename.vmdk>’:

00000000  4b 44 4d 56 01 00 00 00  03 00 00 00 00 00 00 05  |KDMV............|
00000010  00 00 00 00 80 00 00 00  00 00 00 00 01 00 00 00  |................|
00000020  00 00 00 00 14 00 00 00  00 00 00 00 00 02 00 00  |................|
00000030  15 00 00 00 00 00 00 00  1f 14 00 00 00 00 00 00  |................|
00000040  80 28 00 00 00 00 00 00  00 0a 20 0d 0a 00 00 00  |.(........ .....|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200  23 20 44 69 73 6b 20 44  65 73 63 72 69 70 74 6f  |# Disk Descripto|
00000210  72 46 69 6c 65 0a 76 65  72 73 69 6f 6e 3d 31 0a  |rFile.version=1.|
00000220  65 6e 63 6f 64 69 6e 67  3d 22 55 54 46 2d 38 22  |encoding="UTF-8"|
00000230  0a 43 49 44 3d 39 32 63  39 34 32 65 34 0a 70 61  |.CID=92c942e4.pa|
00000240  72 65 6e 74 43 49 44 3d  66 66 66 66 66 66 66 66  |rentCID=ffffffff|
00000250  0a 63 72 65 61 74 65 54  79 70 65 3d 22 6d 6f 6e  |.createType="mon|
00000260  6f 6c 69 74 68 69 63 53  70 61 72 73 65 22 0a 0a  |olithicSparse"..|
00000270  23 20 45 78 74 65 6e 74  20 64 65 73 63 72 69 70  |# Extent descrip|
00000280  74 69 6f 6e 0a 52 57 20  38 33 38 38 36 30 38 30  |tion.RW 83886080|
00000290  20 53 50 41 52 53 45 20  22 57 69 6e 64 6f 77 73  | SPARSE "Windows|
000002a0  20 31 30 20 78 36 34 2e  76 6d 64 6b 22 0a 0a 23  | 10 x64.vmdk"..#|
3

Looking at the error log, it would appear that you have created a logical image of the ESXI host. From my understanding, but I am subject to be corrected, when you add an image to autopsy, it tries to run mmls and get a list of the partitions. If mmls cannot identify a partition scheme, the error as you have got will occur.
In order to overcome this, you can convert the vmdk to a dd using the libvmdk library and mount the resulting folder and subsequently add the mounted folder into autopsy as a logical folder.