Hey Guys
I'm trying to recover a VMware virtual machine that I accidentally deleted from within VMware Workstation on Windows 7.
The vm I try to recover was running Windows 7 x64 encrypted with Truecrypt.
There were two vmdks. I'm not sure, but I think one was 100 GB and one was 50 GB (or maybe 150 GB).
I'm on Kali Linux right now.
I already made an image of the partition the vm was on with dd:
Code:
dd if=/dev/sdc3 of=img.dd conv=noerror
Code:
root@kali:/# ls -l -h img.dd
-rw------- 1 root root 832G Mar 30 13:31 img.dd
Code:
Disk /dev/sdc: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x7dd47cdd
Device Boot Start End Blocks Id System
/dev/sdc1 * 2048 206847 102400 7 HPFS/NTFS/exFAT
/dev/sdc2 206848 209717247 104755200 7 HPFS/NTFS/exFAT
/dev/sdc3 209717248 1953519615 871901184 7 HPFS/NTFS/exFAT
The md5 hashes match:
Code:
2aa926de57834f395bcb6ff075cf03c8 /dev/sdc3
2aa926de57834f395bcb6ff075cf03c8 img.dd
Q1: Is this ok? Did I get all data there is? Can I boot and use the disk without hesitation of needing it later?
Then I used Photorec to extract the vmdks:
Code:
Disk img.dd - 892 GB / 831 GiB (RO)
Partition Start End Size in sectors
Unknown 0 0 1 922646 101 14 1743802368 [Whole disk]
> P NTFS 0 0 1 922646 101 14 1743802368 [Data]
Code:
To recover lost files, PhotoRec need to know the filesystem type where the
file were stored:
[ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other ] FAT/NTFS/HFS+/ReiserFS/...
Code:
Please choose if all space need to be analysed:
[ Free ] Scan for file from NTFS unallocated space only
>[ Whole ] Extract files from whole partition
Code:
root@kali:vmdk# ls -s -h recup_dir.1
total 832G
27M f0334696.vmdk 55G f142349624.vmdk 342M f2350824.vmdk ...
root@kali:vmdk# ls -1 recup_dir.1 | wc -l
319
Q2: Is this ok? should I do something in the advandec setting?
I then wrote a Python script to delete all the vmdks I can normally access by mounting the image.
I used their md5 hashes to compar them.
I then tried to use the Digital Foreniscs Framework to find the vmdks,
but it crashed a lot...
Q3: Is there any chance I will recover the vmdsk?
Thanks for your help!