Acquiring evidence from VMWare ESXI datastores
When acquiring evidence from ESXI environments you can encounter different types of datastores on which the VMs live:
- Internal datastore
- External iSCSI datastore
- External NFS datastore
Types of datastores
Internal datastore
This type of datastore is only accessible on the ESXI server itself. In order to access it externally you should first enable remote SSH access on the ESXI server. With the SSH access you can now mount the internal datastore with SSHFS (you might have to install it first):
sshfs -o ro root@192.168.1.140:/vmfs/volumes/datastore1/ /mnt/bla
External iSCSI datastore
To access an external iSCSI datastore you need two things: the necessary software to connect to an iSCSI LUN and the driver to read the proprietary VMFS which is the clustered filesystem used on the datastore.
You can download the driver from GitHub or install the vmfs-tools package. Be aware there are many issues with this driver so look at the forks for specific fixes (like a file size limit): https://github.com/glandium/vmfs-tools/
Use the following commands to discover and connect to the iSCSI datastore:
iscsiadm -m discovery -t st -p 10.0.0.10
10.0.0.10:3260,1 iqn.2000-01.com.synology:BLA.Target-1.36269ff374
iscsiadm -m node --target "iqn.2000-01.com.synology:BLA.Target-1.36269ff374" --portal 10.0.0.10:3260 -l
Logging in to iface: default, target: iqn.2000-01.com.synology:BLA.Target-1.36269ff374, portal: 10.0.0.10,3260
Login to [iface: default, target: iqn.2000-01.com.synology:BLA.Target-1.36269ff374, portal: 10.0.0.10,3260] successful.
The iSCSI datastore is now attached as a disk. Use “dmesg” or “lsblk” to see which device is now representing the datastore (e.g. /dev/sdb).
You can now mount the volume with vmfs-fuse (the driver only supports read-only FYI):
vmfs-fuse /dev/sdb1 /mnt/bla
External NFS datastore
Mounting NFS datastores is no different than NFS shares; there is no VMFS to deal with.
To mount a NFS share, do the following (you might have to install NFS client utils first):
mount -t nfs -o ro,proto=tcp,port=2049 10.0.0.10:/volume1/vmNFS /mnt/bla