Notifications
Clear all

VMWare/Live View

10 Posts
8 Users
0 Likes
309 Views
Nige
 Nige
(@nige)
Posts: 7
Active Member
Topic starter
 

I am trying to mount a Server 2003 dd image in Live View. Everything works fine until the Windows Logo Screen appears and the I get blue screened. I do not have access to the original hardware. I have tried mounting the image on an XP and Vista host and have used both Live View and FTK3 to mount the image but the result is always the same. Any suggestions or work arounds appreciated please.

Thanks

 
Posted : 19/09/2011 5:29 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

You have to remeber that Live view is quite old now, your probably best using VFC2 if you can as it is far more up to date.

I have also heard of people having success with OpenGates as well so might be worth a try.

What version of VMware are you using?

 
Posted : 19/09/2011 5:49 pm
zhaan
(@zhaan)
Posts: 50
Trusted Member
 

Just a thought. you could try restoring the image to a similar drive and then try.

I have always had mixed results with LV, overall its been a god send quite often but sometimes, if the OS dont want to play it wont.

Could it possibly be a problem with the OS?

Is there a message within the blue screen, perhaps mentioning a specific cause or driver failure?

I noticed with an ATI driver a few months ago, it would cause a bluey when I was shutting down!

As pointed out, she is getting on…

 
Posted : 20/09/2011 11:02 pm
zhaan
(@zhaan)
Posts: 50
Trusted Member
 

You could take a look at Virtual Box.

I have been using it recently, it works with ISO's, etc.

Not sure if it works with DD images but if it does it is really impressive.

I have just been looking through the manual but cant see anything.

 
Posted : 20/09/2011 11:11 pm
(@thepm)
Posts: 253
Reputable Member
 

Are you able to boot in Safe Mode?

 
Posted : 20/09/2011 11:55 pm
lucpel
(@lucpel)
Posts: 55
Trusted Member
 

If it mounts using the mount command, it should generally work in FTK3. Did you try something like
#mount -o ro,noexec,loop /image.dd /mount_directory

Once I had an image .dd that didn't work in FTK, but worked in Autopsy.

Sorry if this is too obvious,

 
Posted : 21/09/2011 4:38 am
(@athulin)
Posts: 1156
Noble Member
 

Any suggestions or work arounds appreciated please.

LiveView does not handle all images. In the cases where it doesn't, I've usually got by with 'raw2vmdk' (available at sourceforge)., but there have been cases when that, too, would fail, and some hands-on patching was necessary.

Did you inquire into the reasons for the bluescreen? Checked the error code? Any minidump? That would tell you if the image relied on something that a simple converter could not be expected to support, such as special hardware nor present in your environment. Tried booting in safe mode?

 
Posted : 21/09/2011 11:46 am
(@shep47)
Posts: 51
Trusted Member
 

I had BSoD problems with LiveView and FTK mounted images and in the end I concluded it was driver conflict (never sourced) on my Win 7 machine as it would work on a colleagues machine but not on mine (and the 'sausage factory' didn't allow me the time to reinstall!). However, I see you have tried it on another machine so this workaround may not be of help.

I created a clean OS VM (didn't update any of the drivers) and installed just VMWare and LiveView on it and run this within my existing installation of Win 7. This iradicated the BSoD instances I was experiencing (probably as the rogue driver had not been installed).

I think all the points in this thread are worth trying as each image is different, 'safe mode' is probably my first choice on a BSoD although I have tried VLC with better success (although I no longer have VLC at my new workplace so it's back to LiveView).

Finally, I always clean out my VM folder immediately before I try to create/run a LiveView mounted VM as I've found any old files in this folder (even a previously good version of a working VM) will interfere with the VM I am trying to run. Also, LiveView sometimes will refuse to create and autorun the VM but by simply going into the VM folder where it started to create the VM files and remaining any of the files with the extension .lck to .txt and then opening the .vmx direct in VMWare will often get the VM working.

 
Posted : 21/09/2011 1:51 pm
(@chrism)
Posts: 97
Trusted Member
 

I've found that when mouting images through FTK to be used with Live View, you must make sure that 'Block Device / Writable' is selected, and that you only mount the Physical Image.

Also I have had it BSoD a few times, mainly on non-standard builds.

 
Posted : 21/09/2011 2:51 pm
Nige
 Nige
(@nige)
Posts: 7
Active Member
Topic starter
 

Thanks to everyone who has responded. There are a number of suggestions here which I will work through one by one.

Thanks again for your input.

 
Posted : 22/09/2011 8:38 pm
Share: