Now you have a .vmdk file and an Ubuntu machine, but how to actually do something useful with this?
This guide is the second part of the GKE forensics series. This will assume that you have done a snapshot of a GKE node and you have downloaded the result as a .vmdk file.
This article will only explain how to mount and be able to analyse the .vmdk file, the next article explains how to analyse and extract insights from this.
The .vmdk (Virtual Machine Disk) file is a an image that contains metadata and virtual hard drives that can be used with virtual machines. This was created by VMware and it's mostly used by their hypervisor to store the data of a running virtual machine.
We could use vmware (or other hypervisor) to understand the file. On the other hand there is an easy way out.
We can just extract the files using 7zip. This will "extract" all the files from which the vmdk file is composed of.
There is 2 important commands related to 7zip.
7zip -l gke-forensics.vmdk
This command will list all the metadata files and hard drives.
<Add output of files>