๐ฆ A quick walkthrough in the VMDK format
After attending a conference for incident response teams, I joined a project aiming to create a forensic framework allowing acquisition and visualization of evidence from various sources: the Exhume toolkit.
In this quest of retrieving data from various base formats, I got involved in the understanding and implementation of a parser for the VMDK format.
The Virtual Machine Disk format has been created by VMware and is used by all kinds of virtual machines from all types of hypervisors. It is also used in exchange formats used to share virtual machines from one hypervisor to another.
Most IT experts, from cybersecurity to system administrators have heard of VMDK files. And I am no exception. But I never really understood what was behind this format. Sure, I did encounter some difficulties to access data from a VMDK file sourced from and ESXi server but I always found tools allowing to convert the file to a better suited format... Including VMDK itself.
At that moment I wondered why converting a VMDK file to another one could help me get access to the data for forensic purposes. And I've found the answer now I did some serious research on the matter.