I can't seem to find any info about this. What is a HyperV differential AVHDX file format internally like, for the purpose of forensic recovery?
That is: Is it just straight blocks, like dd would output, but with point-in-time metadata in between or in a header? Or is the main data transcoded in some way? Or kept in a known internal fs like NTFS or exFAT? What should I tell TestDisk if I want to open an AVHDX directly, without the rest of its chain?
The original role was a Generation 1 VM.
According to the spec,
The VHDX file begins with a fixed-sized header section. After this, non-overlapping objects and free space are intermixed freely in no particular order; the only restriction being that all objects have 1 MB alignment within the file. The objects currently defined include the BAT region (also referred to as BAT), the metadata region, header, log, payload blocks and sector bitmap blocks.
But this applies to AVHDX as well:
VHDX is designed to support 3 types of virtual hard disks; fixed, dynamic and differencing. The logical and physical layout is similar for all 3 types...
However, I don't know enough to know from the rest of the document whether this resembles NTFS or FAT or ReFS or what.
That said, some data is recoverable from a lone AVHDX file with PhotoRec rather than TestDisk (they are bundled together) in GUI mode but also in Expert mode with the CLI version with a 4096 block size or even a 512 block size.