version v0.22.0

README.md

@@ -8,6 +8,7 @@ Forensic Artifacts Collecting Toolkit.
 ## Tools
 - [fmount](docs/fmount.md)
 - [fmount.dd](docs/fmount.dd.md)
+- [fmount.vmdk](docs/fmount.vmdk.md)
 - [fkey](docs/fkey.md)
 - [ffind](docs/ffind.md)
 - [flog](docs/flog.md)

ROADMAP.md

@@ -2,7 +2,7 @@
 
 ## FMount
 - [x] Support for [BitLocker](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/) partitions
-- [ ] Support for [VMDK](https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc) images
+- [x] Support for [VMDK](https://github.com/libyal/libvmdk/blob/main/documentation/VMWare%20Virtual%20Disk%20Format%20(VMDK).asciidoc) images
 
 
 ## FFind

cmd/fmount.vmdk/main.go

@@ -0,0 +1,127 @@
+// Mount forensic VMDK disk images for read-only processing.
+//
+// Usage:
+//
+//	fmount.vmdk [-fsuzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE
+//
+// The flags are:
+//
+//	 -D directory
+//		The mount point directory.
+//	 -B key
+//	 	The BitLocker key.
+//	 -H algorithm
+//	 	The hash algorithm to use.
+//	 -V sum
+//	 	The hash sum to verify.
+//	 -f
+//		Force type (bypass check).
+//	 -s
+//		System partition only.
+//	 -u
+//		Unmount image.
+//	 -z
+//		Unzip image.
+//	 -q
+//		Quiet mode.
+//	 -h
+//		Show usage.
+//	 -v
+//		Show version.
+//
+// The arguments are:
+//
+//	 image
+//		The disk images filename.
+package main
+
+import (
+	"flag"
+	"io"
+
+	"github.com/cuhsat/fact/internal/fact"
+	"github.com/cuhsat/fact/internal/sys"
+	"github.com/cuhsat/fact/pkg/fmount"
+	"github.com/cuhsat/fact/pkg/fmount/vmdk"
+)
+
+func main() {
+	D := flag.String("D", "", "Mount point")
+	B := flag.String("B", "", "BitLocker key")
+	H := flag.String("H", "", "Hash algorithm")
+	V := flag.String("V", "", "Hash sum")
+	f := flag.Bool("f", false, "Force mounting")
+	s := flag.Bool("s", false, "System partition only")
+	u := flag.Bool("u", false, "Unmount image")
+	z := flag.Bool("z", false, "Unzip image")
+	q := flag.Bool("q", false, "Quiet mode")
+	h := flag.Bool("h", false, "Show usage")
+	v := flag.Bool("v", false, "Show version")
+
+	flag.CommandLine.SetOutput(io.Discard)
+	flag.Parse()
+
+	img := sys.Arg()
+
+	if *v {
+		sys.Final("fmount.vmdk", fact.Version)
+	}
+
+	if *h || len(img) == 0 {
+		sys.Usage("fmount.vmdk [-fsuzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE")
+	}
+
+	if *q {
+		sys.Progress = nil
+	}
+
+	if *z {
+		ex, err := fmount.Extract(img)
+
+		if err != nil {
+			sys.Fatal(err)
+		} else {
+			img = ex
+		}
+	}
+
+	if (len(*H) == 0) != (len(*V) == 0) {
+		sys.Fatal("hash algorithm and sum are required")
+	}
+
+	if len(*H) > 0 && len(*V) > 0 {
+		ok, err := fmount.Verify(img, *H, *V)
+
+		if err != nil {
+			sys.Fatal(err)
+		}
+
+		if !ok {
+			sys.Fatal("hash sum does not match")
+		}
+	}
+
+	if !*f {
+		is, err := vmdk.Is(img)
+
+		if err != nil {
+			sys.Fatal(err)
+		}
+
+		if !is {
+			sys.Fatal("image type not supported")
+		}
+	}
+
+	var err error
+
+	if *u {
+		err = vmdk.Unmount(img)
+	} else {
+		_, err = vmdk.Mount(img, *D, *B, *s)
+	}
+
+	if err != nil {
+		sys.Fatal(err)
+	}
+}

cmd/fmount/main.go

@@ -2,7 +2,7 @@
 //
 // Usage:
 //
-//	fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD] [-D DIR] IMAGE
+//	fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD|VMDK] [-D DIR] IMAGE
 //
 // The flags are:
 //
@@ -43,6 +43,7 @@ import (
 	"github.com/cuhsat/fact/internal/sys"
 	"github.com/cuhsat/fact/pkg/fmount"
 	"github.com/cuhsat/fact/pkg/fmount/dd"
+	"github.com/cuhsat/fact/pkg/fmount/vmdk"
 )
 
 func main() {
@@ -68,7 +69,7 @@ func main() {
 	}
 
 	if *h || len(img) == 0 {
-		sys.Usage("fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD] [-D DIR] IMAGE")
+		sys.Usage("fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD|VMDK] [-D DIR] IMAGE")
 	}
 
 	it, err := fmount.DetectType(img, *T)
@@ -114,6 +115,8 @@ func main() {
 	args = append(args, img)
 
 	switch it {
+	case vmdk.VMDK:
+		fmount.Forward("fmount.vmdk", args...)
 	case dd.RAW, dd.DD:
 		fmount.Forward("fmount.dd", args...)
 	default:

docs/fmount.md

@@ -2,7 +2,7 @@
 Mount forensic disk images for read-only processing.
 
 ```sh
-# fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD] [-D DIR] IMAGE
+# fmount [-suzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-T RAW|DD|VMDK] [-D DIR] IMAGE
 ```
 
 Available options:
@@ -21,6 +21,7 @@ Available options:
 
 Supported disk formats:
 
+- [VMDK](https://forensics.wiki/vmware_virtual_disk_format_%28vmdk%29/)
 - [DD (Raw)](https://forensics.wiki/raw_image_format/)
 
 ---

docs/fmount.vmdk.md

@@ -0,0 +1,31 @@
+# fmount.vmdk
+Mount forensic [VMDK](https://forensics.wiki/vmware_virtual_disk_format_%28vmdk%29/) disk images for read-only processing.
+
+```sh
+# fmount.vmdk [-fsuzqhv] [-H CRC32|MD5|SHA1|SHA256] [-V SUM] [-B KEY] [-D DIR] IMAGE
+```
+
+Available options:
+
+- `-D` Mount point
+- `-B` BitLocker key
+- `-H` Hash algorithm
+- `-V` Verify hash sum
+- `-f` Force type
+- `-s` System partition only
+- `-u` Unmount image
+- `-z` Unzip image
+- `-q` Quiet mode
+- `-h` Show usage
+- `-v` Show version
+
+Required system commands:
+
+- [dislocker](https://github.com/Aorimn/dislocker)
+- [qemu-nbd](https://www.qemu.org/docs/master/tools/qemu-nbd.html)
+- [lsblk](https://man7.org/linux/man-pages/man8/lsblk.8.html)
+- [mount](https://man7.org/linux/man-pages/man8/mount.8.html)
+- [umount](https://man7.org/linux/man-pages/man8/umount.8.html)
+
+---
+Part of the [Forensic Artifacts Collecting Toolkit](../README.md).