VMDK Handbook - Experts
by
Ulli Hankeln
In emergencies visit
back to Table of Content
This chapter has some tips for experts.
It is rather short at the moment - expect more to come soon.
<<<
How can I scan for vmdk-files
Some recovery tools allow to define custom signatures to scan raw
data for files.
Some also come with vmdk as one of the factory presets search signatures.
Not all of the tools I saw do get this right so here is a list of
the fileheaders you may want to scan for.
| vmdk-type |
file-type |
header as text |
header in binary |
| *-delta.vmdk used by ESX snapshots |
binary |
COWD |
43 4F 57 44 |
| monolithicSparse and streamOptimized |
binary |
KDMV |
4B 44 4D 56 |
| chunks of type twoGbMaxExtentSparse
|
binary |
KDMV |
4B 44 4D 56 |
| chunks of type twoGbMaxExtentFlat
|
binary |
FILE* |
46 49 4C 45 2A |
| *-flat.vmdk |
binary |
scan for MBR |
|
| |
|
|
|
| other vmdk-types - detection is unreliable |
text |
# Disk |
23 20 44 69 73 |
| *.vmss |
binary |
|
D2 BE D2 BE 08 |
| *.vmsn |
binary |
|
D0 BE D0 BE |
| *.vmem |
binary |
|
53 FF 00 F0 53 FF 00 |
| *.nvram |
binary |
MRVN |
4D 52 56 4E |
| |
|
|
|
| |
|
|
|
<<<
Fake basedisk
There are several cases when you may want to "fake" a basedisk.
The most common case is the need to extract data from an orphaned
snapshot.
Here is a short overview of the procedure :
- find out what type of vmdk you need
- find out what nominal size you need
- find out which name the fake basedisk must use
- create new disk with vmware-vdiskmanager.
- find out which filesystem you need - this MUST be exactly the same
one that was used in the lost basedisk
- format vmdk using a helper VM or a LiveCD
- copy the vmdk into right path
- find out which CID value is needed
- attach snapshot
- mount snapshot with helper VM or LiveCD
- use recovery tools like UFS-explorer, GetDataBack ...
Chances:
There is a good chance to recover files which were unfragmented
inside the snapshot.
The smaller the missing files - the higher the chances
The procedure only makes sense if you have enough background info
so that you are able
to reproduce the original filesystem.
If you do not know the origginal filesystem it makes no sense to try
this !
<<<
|
