Troubleshooting a Data Source problem when importing a VMDK file into Autopsy.
Steps to failure:
I’ve pulled this image from an ESXI host which took the snapshot.
I’ve imported this to “Disk Image or VM file”
Default selected all ingest modules
I think it could be a potentially bad VMDK (though I think this isn’t the case as the SHA265 hash came back the same as the original snapshot file) but I want someone to provide some guidance as to what’s causing this error…
Have you tried to mount the .vmdk to inspect it? What does the .vmdk look like in a hex viewer? ie. Below is sample output via ‘hexdump -C <filename.vmdk>’:
Looking at the error log, it would appear that you have created a logical image of the ESXI host. From my understanding, but I am subject to be corrected, when you add an image to autopsy, it tries to run mmls and get a list of the partitions. If mmls cannot identify a partition scheme, the error as you have got will occur.
In order to overcome this, you can convert the vmdk to a dd using the libvmdk library and mount the resulting folder and subsequently add the mounted folder into autopsy as a logical folder.