Hey Guys
I'm trying to recover a VMware virtual machine that I accidentally deleted from within VMware Workstation on Windows 7.
The vm I try to recover was running Windows 7 x64 encrypted with Truecrypt.
There were two vmdks. I'm not sure, but I think one was 100 GB and one was 50 GB (or maybe 150 GB).
I'm on Kali Linux right now.
I already made an image of the partition the vm was on with dd:Code:
dd if=/dev/sdc3 of=img.dd conv=noerror
Code:
root@kali:/# ls -l -h img.dd
-rw------- 1 root root 832G Mar 30 13:31 img.dd
Code:
comming soon
The md5 hashes match:
Code:
2aa926de57834f395bcb6ff075cf03c8 /dev/sdc3
2aa926de57834f395bcb6ff075cf03c8 img.dd
Q1: Is this ok? Did I get all data there is? Can I boot and use the disk without hesitation of needing it later?Then I used Photorec to extract the vmdks:Code:
Disk img.dd - 892 GB / 831 GiB (RO)
Partition Start End Size in sectors
Unknown 0 0 1 922646 101 14 1743802368 [Whole disk]
> P NTFS 0 0 1 922646 101 14 1743802368 [Data]
Code:
To recover lost files, PhotoRec need to know the filesystem type where the
file were stored:
[ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other ] FAT/NTFS/HFS+/ReiserFS/...
Code:
Please choose if all space need to be analysed:
[ Free ] Scan for file from NTFS unallocated space only
>[ Whole ] Extract files from whole partition
Code:
root@kali:vmdk# ls -s -h recup_dir.1
total 832G
27M f0334696.vmdk 55G f142349624.vmdk 342M f2350824.vmdk 6.0G f321178976.vmdk 9.0M f36528144.vmdk 9.3G f529270928.vmdk 310M f639895568.vmdk 648M f735741360.vmdk 1.5G f895917440.vmdk
23M f0389928.vmdk 3.3G f1428779080.vmdk 3.6G f23537752.vmdk 320K f32184912.vmdk 3.7G f36546440.vmdk 863M f548680352.vmdk 1.2G f640530064.vmdk 9.0G f737067952.vmdk 1.3G f898972496.vmdk
389M f0435376.vmdk 16G f1435509520.vmdk 23M f257341952.vmdk 320K f32185552.vmdk 112M f381055728.vmdk 928M f550447624.vmdk 404M f642992448.vmdk 4.7G f74509320.vmdk 817M f901574976.vmdk
1.6G f1014391536.vmdk 5.7M f1467288.vmdk 3.6M f257388256.vmdk 320K f32186192.vmdk 11G f381284848.vmdk 212M f552347928.vmdk 540M f643818064.vmdk 3.4G f755776912.vmdk 2.4G f903247336.vmdk
720M f1017722736.vmdk 1.5G f1467536256.vmdk 16M f257395544.vmdk 8.8M f32186832.vmdk 62M f403672880.vmdk 162M f552781728.vmdk 1.3G f644923760.vmdk 1.8G f762863464.vmdk 206M f908236696.vmdk
4.8G f1019196264.vmdk 529M f1470639616.vmdk 2.7M f257427032.vmdk 155M f32204728.vmdk 772K f403798600.vmdk 63M f553112920.vmdk 102M f647535080.vmdk 4.1G f766481328.vmdk 692M f908657656.vmdk
11M f1029142800.vmdk 1.3G f1471721472.vmdk 3.2M f257432408.vmdk 1.6G f32521528.vmdk 51M f403800144.vmdk 136M f553241304.vmdk 45M f647742552.vmdk 285M f775047064.vmdk 3.0G f910074152.vmdk
3.1M f1029164688.vmdk 819M f1474394240.vmdk 1.3M f257438960.vmdk 3.0M f333643264.vmdk 5.1G f403903280.vmdk 257M f553519472.vmdk 1.1G f647832824.vmdk 357M f775628952.vmdk 255M f916179040.vmdk
668M f1029170960.vmdk 369M f1476070400.vmdk 896K f257441520.vmdk 1.9M f333649312.vmdk 25M f414530608.vmdk 52M f554044048.vmdk 985M f650095864.vmdk 1.1G f776359448.vmdk 529M f916700000.vmdk
29G f1030538024.vmdk 1.1G f1476824576.vmdk 3.0M f257443312.vmdk 320K f333653048.vmdk 94M f414580528.vmdk 955M f554149144.vmdk 3.8G f652112496.vmdk 2.2G f778521560.vmdk 1.9G f917782472.vmdk
364K f10434664.vmdk 186M f1478768.vmdk 1.8G f257449328.vmdk 320K f333653688.vmdk 2.4M f4146112.vmdk 3.5G f556103800.vmdk 742M f659967080.vmdk 773M f783131376.vmdk 1.1G f921665872.vmdk
6.3G f10435392.vmdk 796M f1478976896.vmdk 439M f261066320.vmdk 320K f333654328.vmdk 12G f414772784.vmdk 320K f56281456.vmdk 4.4G f661485328.vmdk 230M f784713872.vmdk 445M f923785104.vmdk
1.9G f1089792832.vmdk 430M f1480607104.vmdk 4.4G f261965152.vmdk 320K f333654968.vmdk 944K f4150848.vmdk 8.7G f56282096.vmdk 2.0G f670612160.vmdk 265M f785184656.vmdk 2.4G f924696096.vmdk
16G f1093686472.vmdk 336M f1481486976.vmdk 8.6G f271102528.vmdk 320K f333655608.vmdk 76M f4152736.vmdk 506M f563429056.vmdk 1.7G f674803136.vmdk 242M f785726736.vmdk 809M f929612240.vmdk
20G f1126974536.vmdk 1.5G f1482173312.vmdk 408M f289030408.vmdk 320K f333656248.vmdk 391M f4307984.vmdk 508M f564464512.vmdk 2.0G f678323392.vmdk 168M f786220560.vmdk 784M f931267848.vmdk
1.7G f115494408.vmdk 255M f1485277440.vmdk 2.0M f289865624.vmdk 320K f333656888.vmdk 173M f437933264.vmdk 1.5G f565503656.vmdk 1.8G f6815528.vmdk 207M f786563576.vmdk 11G f932872064.vmdk
108G f1167934784.vmdk 529M f1485798400.vmdk 814M f289869608.vmdk 320K f333657528.vmdk 2.7G f438286800.vmdk 245M f568511304.vmdk 1.4G f682516288.vmdk 1.5G f786986360.vmdk 1.8G f955376200.vmdk
320K f119013576.vmdk 1.3G f1486881152.vmdk 35M f291535784.vmdk 2.7M f333658168.vmdk 2.5G f44300304.vmdk 103M f569012848.vmdk 2.4G f685424472.vmdk 848M f790117312.vmdk 261M f959064080.vmdk
1.2G f119014216.vmdk 819M f1489553920.vmdk 2.5G f291605688.vmdk 2.4M f333663696.vmdk 233M f443800808.vmdk 237M f569223312.vmdk 175M f690299840.vmdk 4.3G f791853504.vmdk 539M f959597208.vmdk
1.1G f121391192.vmdk 369M f1491230080.vmdk 12M f296697800.vmdk 320K f333668416.vmdk 1.8G f444276128.vmdk 162M f569707128.vmdk 138M f690658152.vmdk 699M f800712912.vmdk 1.4G f960700544.vmdk
34M f1230736.vmdk 1.1G f1491984256.vmdk 12M f296721968.vmdk 2.6M f333669056.vmdk 324M f447940856.vmdk 2.3G f570036888.vmdk 62M f690938864.vmdk 1.2G f802144344.vmdk 9.2G f96304488.vmdk
320K f123655144.vmdk 796M f1494136576.vmdk 62M f296746440.vmdk 320K f333674200.vmdk 197M f448604152.vmdk 5.0G f574682696.vmdk 113M f691065200.vmdk 18G f804525080.vmdk 837M f963564768.vmdk
6.2M f123655784.vmdk 430M f1495766784.vmdk 228M f296873400.vmdk 320K f333674840.vmdk 311M f449007528.vmdk 395M f584983752.vmdk 62M f691295928.vmdk 12G f840976592.vmdk 376M f965278608.vmdk
976M f123668304.vmdk 18G f1496646656.vmdk 279M f297339552.vmdk 320K f333675480.vmdk 71M f449643384.vmdk 184M f585791816.vmdk 91M f691420984.vmdk 905M f84342104.vmdk 1.6G f966047704.vmdk
7.8G f125666464.vmdk 101G f1533757808.vmdk 3.0G f297909984.vmdk 320K f333676120.vmdk 315M f449788024.vmdk 3.1G f586168328.vmdk 2.2G f691606712.vmdk 4.9G f86194752.vmdk 1007M f969225840.vmdk
6.1M f1300184.vmdk 1.5M f1859480.vmdk 173M f303995456.vmdk 320K f333676760.vmdk 2.0G f450431104.vmdk 2.5G f592657864.vmdk 111M f696066160.vmdk 8.0G f865705936.vmdk 532M f971287752.vmdk
33M f1312552.vmdk 208K f1862520.vmdk 94M f304348504.vmdk 320K f333677400.vmdk 271M f454459640.vmdk 1.4G f597790168.vmdk 72M f696292336.vmdk 11M f882287920.vmdk 1.8G f972375480.vmdk
19M f1378896.vmdk 48M f1862936.vmdk 2.7G f304540184.vmdk 320K f333678040.vmdk 138M f455012728.vmdk 852M f600623544.vmdk 436M f696439664.vmdk 3.1M f882309808.vmdk 9.5G f976047016.vmdk
2.7G f1392788904.vmdk 21M f1960696.vmdk 536M f3049832.vmdk 320K f333678680.vmdk 485M f455293688.vmdk 1.9G f602367600.vmdk 3.2G f697330728.vmdk 730M f882316080.vmdk 8.9G f995906592.vmdk
5.5G f1398446504.vmdk 36M f2002728.vmdk 36M f30889224.vmdk 3.3G f333679320.vmdk 320K f456285552.vmdk 4.3G f606325648.vmdk 115M f703988448.vmdk 1.6G f883809400.vmdk 68K report.xml
3.4G f1409937184.vmdk 27M f2075520.vmdk 1.5M f30962392.vmdk 1.6G f340498728.vmdk 320K f456286192.vmdk 2.9G f615224208.vmdk 53M f704223464.vmdk 586M f887063656.vmdk
5.7G f1416875552.vmdk 74M f2129960.vmdk 384K f30965464.vmdk 5.3G f343656672.vmdk 3.8G f456286832.vmdk 774M f621271016.vmdk 99M f704330096.vmdk 273M f888261776.vmdk
25M f1416976.vmdk 23M f2281496.vmdk 47M f30966232.vmdk 30M f354617776.vmdk 2.0G f464141296.vmdk 3.7G f622854144.vmdk 30M f704530920.vmdk 750M f888819736.vmdk
143M f141887952.vmdk 7.2M f2327680.vmdk 5.3G f310143920.vmdk 3.3G f354678064.vmdk 30G f468313208.vmdk 228M f630530120.vmdk 11G f704591600.vmdk 1.4G f890354616.vmdk
77M f142178936.vmdk 3.7M f2342320.vmdk 385M f31061840.vmdk 369M f35774200.vmdk 3.3G f49519992.vmdk 4.0G f630995416.vmdk 55M f727120528.vmdk 871M f893167200.vmdk
6.8M f142335728.vmdk 512K f2349800.vmdk 164M f31849248.vmdk 9.4G f361435968.vmdk 834M f5108272.vmdk 289M f639304720.vmdk 4.1G f727232016.vmdk 473M f894950656.vmdk
root@kali:vmdk# ls -1 recup_dir.1 | wc -l
319
Q2: Is this ok? should I do something in the advandec setting?I then wrote a Python script to delete all the vmdks I can normally access by mounting the image.I used their md5 hashes to compar them.
I then tried to use the Digital Foreniscs Framework to find the vmdks,but it crashed a lot...
Q3: Is there any chance I will recover the vmdsk?Thanks for your help!