virtualbox - Extracting blocks from a corrupt VDI snapshot in logical order

06
2014-04
  • nerochiaro

    I have a Virtualbox VM on an hard disk that failed. The only thing I could recover from the disk was a snapshot of the dynamic VDI disk used by the VM, and I could only recover the first half of the file. It still contains the VDI header, the VDI block map, and a good amount of blocks.

    I am only interested in recovering a few files, and since I was working on them before the failure, and they were smaller than the VDI block size (1Mb) then I suspect the data for them is present in the snapshot. I can in fact grep for it and find pieces of it, but the blocks in the snapshot are not ordered in logical order.

    But since it's not a full VDI file, tools like virtualbox-fuse or libguestfs refuse to work with it, so I have to write my own forensic script.

    What I don't understand is how the VDI block map works and how to write a script that will extract the blocks that are still present in the part of the VDI I have and rewrite them in logical order (perhaps filling the unallocated or missing space with an easily recognizable byte pattern)

    • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    virtualization - Is there a way to exclude a specific drive vdi from "snapshots" in VirtualBox?
  • Graza

    ...or is there another space-efficient way of dealing with the page/swap file of the Guest O/S?

    I've realised that its quite possible/likely that one of the things which "bloats" the snapshot/diff vdi's when a snapshot is taken is the guest operating system's pagefile.

    For example, say I have a 2Gb swap-file in a Windows guest OS, and over the course of a few weeks the usage of the swap file has gone over 1Gb a couple of times.

    When I next create a snapshot, it seems likely that I'd be almost guaranteed around 1Gb of space taken up in the new differencing disk just because of changes in the swap file. Obviously (provided I never did "live" snapshots on running or paused machines, and only ever did them when the machine was shut down), I would not need any of the information in the swap file to be saved. So this would simply be a waste of 1Gb.

    I'm wondering if there's a way to attach a vdi to a VM and flag it as "exclude from snapshots" - which would mean I could put the swap file on a different vdi which would never be included in a snapshot.

    Or if anyone has any other suggestions. Or an explanation about why it might not be an issue.

    I could obviously delete and recreate a swap drive vdi every time I did a snapshot to achieve the same effect, but this is a little more effort than simply clicking "create snapshot"....


    • Related Answers
  • bryan

    You could delete the swap on shutdown of the guest windows - http://support.microsoft.com/?kbid=314834