VMDK Direct Access with VMWare Workstation – Hash Analysis

Previous posts outlined some of the benefits of using VMWare Workstation or other virtualization technology to host not only forensic analysis workstations as well as other workstations for test and validation. One of the advantages of utilizing VMWare Workstation is the ability for the host workstation to share a folder with guest workstations in read only mode.

This feature is especially appealing as a way to directly access and analyze the VMDK files of virtual test and validation workstations by a virtual forensic analysis workstation.

To verify that the VMDK file was not modified while utilizing the Read Only option for shared folders in VMWare Workstation I calculated the hash value of the VMDK file via multiple access methods. The results are shown below.

VMDK hash calculated on host workstation utilizing FTK Imager
MD5 Hash bfb503521568e8ba21adbc34e862beb9
SHA1 Hash 0b13b2ca4adb6e253e6e24c6d18572ca71bf9a07
VMDK hash calculated on host workstation utilizing Microsoft FCIV
MD5 Hash 7a79e8b8776b404d5a353354b512236e
SHA1 Hash b3b37aafdd6bf0b27d5ecda92574befdfd59c4f8
VMDK hash calculated on host workstation utilizing NirSoft HashMyFiles v 2.20
MD5 Hash 7a79e8b8776b404d5a353354b512236e
SHA1 Hash b3b37aafdd6bf0b27d5ecda92574befdfd59c4f8

 

VMDK hash calculated on Forensic Workstation VM (shared folder) utilizing FTK Imager
MD5 Hash bfb503521568e8ba21adbc34e862beb9
SHA1 Hash 0b13b2ca4adb6e253e6e24c6d18572ca71bf9a07
VMDK hash calculated on Forensic Workstation VM (shared folder) utilizing Microsoft FCIV
MD5 Hash 7a79e8b8776b404d5a353354b512236e
SHA1 Hash B3b37aafdd6bf0b27d5ecda92574befdfd59c4f8
VMDK hash calculated on Forensic Workstation VM (shared folder) utilizing NirSoft HashMyFiles v 2.20
MD5 Hash 7a79e8b8776b404d5a353354b512236e
SHA1 Hash b3b37aafdd6bf0b27d5ecda92574befdfd59c4f

The hash values indicate that there is no change to the VMDK file by accessing it via the shared folder.  The hash values were calculated on the Host workstation prior to accessing the VMDK via the shared folder on the virtual forensic analysis VM as well as recalculated on the host workstation after analyzing the VMDK file on the analysis VM.  The hash values remained consistent all three times they were calculated.

It is important to note that the hash values calculated by FTK Imager and the other programs utilized are different.  This difference is in how the programs view the VMDK file.  FTK Imager is capable of reading and analyzing the VMDK file like any other forensic image.  Therefore the hash value is that of the contents of the VMDK file and not of the file itself.

The other programs, Microsoft FCIV, NirSoft HashMyFiles, as well as DCFLDD in Linux are calculating the hash value of the VMDK file as an individual file and not the contents of the file as a forensic image.

Although the hash values vary between FTK Imager and the other programs the hash values are identical for each program respectively whether the values were calculated on the host workstation or via the shared folder indicating that the VMDK files are unchanged.

The calculated hash values indicate that accessing the VMDK file via a shared folder is acceptable for conducting forensic analysis of test and validation workstations and allow those analysis to take place without the need to create a separate forensic image each time that the workstation is examined.