vfae

VMDK Forensic Artifact Extractor (VFAE) is windows based tool written in C++ that extracts files with a known location from VMDK images running the Windows operating system. The tool utilizes the VDDK (Virtual Disk Development Kit) API for the heavy lifting such as mounting, opening, and reading the VMDK selected. When vfae.exe is executed, it copies out files from an off-line VMDK file. The application allows the user to conduct a quick triage of the Windows directory structure by outputing the results to a specific output file (vfae_output_<localtime>.txt. Additionally, it conducts a MD5 hash value of the VMDK itself if needed. For specific file searching purposes, it searches for any filetype within the off-line VMDK based on a passed in argument via the command-line. Furthermore, you can extract those file that were found in a hard-coded "Extracted Files" directory as well as provide the MD5 hash of each file that was extracted.