Last week I explained how to access a VMFS3 datastore from Windows using the Open Source VMFS driver. This method only works with older VMFS3 datastores created with VMware ESXi 5.5 or older. I got quite a few e-mails asking me how to access VMFS5 and VMFS6 file systems. In this post, I will explain a sort of “Universal” method on how to download the machine files from a datastore without booting the original machine.
VMware ESXi is a very robust product. Part of its design is that datastores are self-contained in a way that you are able to put the datastore of host A into host B and it will be recognized. This is something we are going to exploit. As an example, I have created a new datastore on an ESXi 5.5 host using VMFS5. This is the datastore that will be accessed later on.
In this example the datastore is stored on a small 16GB flash drive, in reality, you will find that the datastore will be located on a large raid array. I won’t go into details on how to image and/or rebuild a raid array in this article. I will assume you managed to image the drives in some way, and have acquired a forensically sound copy of the datastore which you want to access. VMWare is going to want read/write access to the datastore, so I suggest you make an additional copy of your image to a physical drive or mount your image as a physical drive with read/write permissions.
In order to gain access to the data on the datastore without booting the original host, we need to install VMware ESXi on our own computer. You could use a real physical machine for this, but I find that the easiest way is to use a virtual machine. I highly recommend using VMware Workstation, but Oracle VM VirtualBox will also work just fine.
Install ESXi
Get yourself a free copy of VMware ESXi on their website here: https://www.vmware.com/nl/products/vsphere-hypervisor.html (registration required) and install it into a virtual machine. The installation process is really straightforward just follow the instructions on the screen. After the installation, you are able to login to your new ESXi server using your browser. Point your browser to the address that is shown in the console of your ESXi host.
note: If you worked with VMware ESXi before, please note that the Windows Client has been deprecated as of version 6.5. You are still able to login to the server with the old 6.0 client but it’s highly recommended that you use the web client.
If everything works you should be greeted by the VMware ESXi web client login screen.
Log in with the user root and the password you have selected during the installation.
If you get a “Unhandled exception” error and can’t log in, please try using another browser.
Once you are successfully logged in you are greeted with the dashboard containing information about the host. Also, note the warning that you are currently using ESXi in evaluation mode and the license will expire in 60 days. You are able to get a free license at the VMware website, but this license is actually more limited than the evaluation license.
If you go to Host > Manage > Licensing you will see that in Evaluation Mode we have access to all VMware ESXi features. I highly recommend you don’t add the free license because it will limit our options and will greatly reduce the download speed.
Now, shutdown the ESXi host so that we are able to add the datastore of our other host.
Right click on Host and select “Enter maintenance mode” and confirm with Yes. Entering maintenance mode will ensure that ESXi does not modify any files on the datastore and will enable us to shut down the host gracefully.
Now Right click on Host and select “shutdown” and confirm.
Depending on your machine the shutdown process will take a while. Please note that the console window of the ESXi host will not show any messages regarding the shutdown.
Add the datastore we want to examine
Once the machine has been shut down, we can add the datastore. If you are using a physical machine you can simply connect the drive to your machine. If you are using a virtual machine, edit the machine and add the drive there.
In VMware Workstation you edit the virtual machine, choose Add > Hard Disk > defaults (scsi) > Use a physical disk (for advanced users) > Select the correct device > Default file name > Finish.
Now, power on the host again and let it boot. Once it’s done you log back into the web client.
Now choose “Storage” in the Navigator. In the Datastores pane, you will see that the datastore of the old machine has appeared. Because every datastore is self-contained the new host will recognize the datastore and add it automatically.
Click on the datastore for some additional details regarding the datastore including the UUID, the unique ID identifying this volume. Don’t be alarmed by the number of Virtual Machines, this number only indicates the number of virtual machines stored on this datastore by the current host and will be 0.
Access the datastore
With the Datastore browser, we are able to explore the datastore and its contents, right-click the datastore and choose “Browse”.
The datastore browser has 3 columns (from left to right):
- Datastore
- Folders
- Files
By default VMware ESXi stores its virtual machines in a folder with the name of the machine. The folder will contain several files, including these 4:
- VMXF: A supplemental configuration file for VMs that are in a team.
- VMX: The main configuration file, this will contain a lot of information about the virtual machine.
- VMSD: This is a centralized file for storing information and metadata about snapshots.
- VMDK: This is a virtual disk file, which stores the contents of the virtual machine’s hard disk drive.
Large hard drives will be split into multiple smaller files, you will want to download the all the files in the VM folder. To download a file, simply select a file (not folder) and click the “Download” button.
Once downloaded you have the original machine files. These files can also be booted in VMware Workstation, and with some tweaks, you will be able to run the vmdk file within Oracle VM VirtualBox as well.