±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35875
New Yesterday: 3 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

VMWare/Live View

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Nige
Newbie
 

VMWare/Live View

Post Posted: Sep 19, 11 17:29

I am trying to mount a Server 2003 dd image in Live View. Everything works fine until the Windows Logo Screen appears and the I get blue screened. I do not have access to the original hardware. I have tried mounting the image on an XP and Vista host and have used both Live View and FTK3 to mount the image but the result is always the same. Any suggestions or work arounds appreciated please.

Thanks  
 
  

minime2k9
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 19, 11 17:49

You have to remeber that Live view is quite old now, your probably best using VFC2 if you can as it is far more up to date.

I have also heard of people having success with OpenGates as well so might be worth a try.

What version of VMware are you using?  
 
  

zhaan
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 20, 11 23:02

Just a thought. you could try restoring the image to a similar drive and then try.

I have always had mixed results with LV, overall its been a god send quite often but sometimes, if the OS dont want to play it wont.

Could it possibly be a problem with the OS?

Is there a message within the blue screen, perhaps mentioning a specific cause or driver failure?

I noticed with an ATI driver a few months ago, it would cause a bluey when I was shutting down!

As pointed out, she is getting on...  
 
  

zhaan
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 20, 11 23:11

You could take a look at Virtual Box.

I have been using it recently, it works with ISO's, etc.

Not sure if it works with DD images but if it does it is really impressive.

I have just been looking through the manual but cant see anything.  
 
  

ThePM
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 20, 11 23:55

Are you able to boot in Safe Mode?  
 
  

lucpel
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 21, 11 04:38

If it mounts using the mount command, it should generally work in FTK3. Did you try something like:
#mount -o ro,noexec,loop /image.dd /mount_directory

Once I had an image .dd that didn't work in FTK, but worked in Autopsy.

Sorry if this is too obvious,  
 
  

athulin
Senior Member
 

Re: VMWare/Live View

Post Posted: Sep 21, 11 11:46

- Nige
Any suggestions or work arounds appreciated please.


LiveView does not handle all images. In the cases where it doesn't, I've usually got by with 'raw2vmdk' (available at sourceforge)., but there have been cases when that, too, would fail, and some hands-on patching was necessary.

Did you inquire into the reasons for the bluescreen? Checked the error code? Any minidump? That would tell you if the image relied on something that a simple converter could not be expected to support, such as special hardware nor present in your environment. Tried booting in safe mode?  
 

Page 1 of 2
Page 1, 2  Next