Accessing Alternate Data Streams on VMDK Images on Linux

Keeping this for reference. I wanted to mount a VMDK disk on Linux, and be able to access its Alternate Data Streams (ADS). ADS are useful in the context of security for malware analysis and forensics purposes.

Mounting a VMDK Image With qemu Without ADS

I figured this out with these articles:

https://stackoverflow.com/questions/22327728/mounting-vmdk-disk-image/30201153

https://unix.stackexchange.com/questions/509973/mount-ext4-disk-cannot-mount-dev-sdc-read-only

sudo apt install qemu-tools
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd0 /path/to/whatever.vmdk
fdisk -l /dev/nbd0 # List partitions. You may want to mount something different than nbd0p1.
mount -o ro,noload /dev/nbd0p1 /mnt
...do work...
umount /mnt
sudo qemu-nbd -d /dev/nbd0

Accessing Alternate Data Streams

To access Alternate Data Streams and other NTFS from Linux: https://medium.com/@stdout_/accessing-ntfs-extended-attributes-from-linux-f79552947981

apt install attr
mount -t ntfs -o ro,streams_interface=windows /dev/nbd0p1 /mnt
getfattr -Rn ntfs.streams.list /mnt

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Mounting a VMDK Image With qemu Without ADS

Accessing Alternate Data Streams

Share this:

Like this:

Leave a Reply Cancel reply