ESXi

Hey community. Hope all is well.

I am in need of help as per the subject. I am doing an incident response and i had to take a snapshot of a virtual machine for offline analysis. vShpere 7 is in use and list of the folder after the process is as below;

PS F:\Collection\h-db> ls

Directory: F:\Collection\h-db

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/22/2023 5:08 PM 30130962944 H_DB01-1.vmdk
-a---- 2/2/2023 12:20 PM 536870912000 H_DB01-2.vmdk
-a---- 1/22/2023 5:08 PM 185823852544 H_DB01-3.vmdk
-a---- 1/31/2023 8:35 PM 8684 H_DB01-4.nvram
-a---- 1/31/2023 8:35 PM 8653 H_DB01.ovf

I tried to import the virtual machine into Workstation(there were more virtual machines that worked) for analysis and the system could not complete the importing of the virtual machine. After searching around, i found out about Get-VmdkHeader and ran it against the files and the output is as below;

INFO : +++ Processing File [F:\Collection\h-db\H_DB01-1.vmdk] (Size: 30,130,962,944 Bytes) ...
INFO : Number of sectors occupied by the metadata = 128 (Size: 65,536 Bytes)
INFO : +++ Processing File [F:\Collection\h-db\H_DB01-2.vmdk] (Size: 536,870,912,000 Bytes) ...
ERROR : Invalid Magic Number detected.
INFO : +++ Processing File [F:\Collection\h-db\H_DB01-3.vmdk] (Size: 185,823,852,544 Bytes) ...
INFO : Number of sectors occupied by the metadata = 128 (Size: 65,536 Bytes)

My ask for help stems around the following question, Is it possible to fix the magic number and be able to import the virtual machine into Workstation and boot it up?

This is a bit different from what you asked me before.
VMDK files in an OVF are stored in a "stream optimized" file format, which my script does not support.

>>> ... and the system could not complete the importing of the virtual machine
Please provide some details about "could not complete". Any error messages, or log files may help.

André

It may also help to take a look at each file's header.
For this, please run the following Powershell command, and attach the DB01-Metadata.txt to your next reply.

$vmdkfiles=Get-Item *.vmdk ; $(foreach ($vmdkfile in $vmdkfiles) {Write-Output "`n$vmdkfile"; Get-Content $vmdkfile.name -Encoding Byte -TotalCount 1024 | Format-Hex}) | Out-File -Append .\DB01-Metadata.txt

André

Please see attached. Sorry for the late reply. The response to importing the file is as a result of failure to read the hdb01-02.vmdk because it is not a valid vmdk file.

Attachment(s)

DB01-Metadata.txt   29 KB 1 version

That's interesting. The file looks like a raw disk with 2 Linux partitions (83h=Linux, 8Eh=LVM), i.e. it's not a virtual disk file format.
How does the OFV file describe that disk?

André

Attached is the xml for the ovf file but it looks normal as per my understanding.

Attachment(s)

ovf_file.zip   1 KB 1 version

To me, it looks like the previously exported "...HQ01-2.vmdk" (vmdisk2) has been overwritten by an inflated version of "...HQ01-3.vmdk" (vmdisk3). The "defect" file has the exact size of vmdisk3 (536870912000 Bytes).

André

So i guess the issue is not possible to be resolved and it is unrecoverable. The only solution is to get the snapshot anew and use that one. Am i right?

Unless you have a backup/copy of the original "...HQ01-2.vmdk" (vmdisk2), I'm afraid that you need to export the VM again.

André

There is no other copy. I guess i am done for it now. Do you think it is possible to read it raw as it is in linux terminal or it was over written completely. Perhaps i should try that to see.

What you may try is to use the attached descriptor file to attach the raw disk file to a helper VM.

André

Attachment(s)

H_DB01-2-desc.zip   397 B 1 version

Sorry to further the discussion, but how best is this done? I create a new vm from scratch and then within the vm root folder i move both the descriptor file and vmdks to the vm or? I am not so well versed with esxi so pardon my reply.

Let us just clarify things real quick to avoid misunderstandings.
Where do you want to use the virtual disk? On a lokal system using e.g. VMware Workstation, or on an ESXi host?

The descriptor file that I provided before is for VMware Workstation, since I thought that you were trying to access the data this way.
In case you want to use the files on an ESXi host let me know so that I can let you know to required steps.

André

Thanks for the clarification. I am planning to access the data on VMware Workstation on local system.

You could try using a disk recovery tool like TestDisk or Photorec to attempt to recover data from the corrupted H_DB01-2.vmdk file by reading it as a raw disk image. These tools can sometimes recover files, partitions or file systems even from corrupted disk images by scanning for known data structures. However, the success of this approach is not guaranteed and depends on the extent of corruption in the file.