Join Us!

VM Load Error in VF...
 
Notifications
Clear all

VM Load Error in VFC  

  RSS
Kady_Kady
(@kady_kady)
New Member

Hiya,

I'm having some issues with a software called VFC which I use to generate a new VM before running it in VMWare. I have the image mounted using Mount ImagePro, open VFC and click to generate the new VM. The progress bar hits 57% and then I get an error which states "Cannot load registry", if you click OK VFC continues as though it has generated the VM. When I then go to launch the VM in VMWare it just keeps looping between the BIOS screen and a quick flash of blue screen of death which flashes too quick to note down the error and then loops back to the BIOS screen.

This problem started about 2 weeks ago and at first I thought it was a problem with either a missing .vmdk file, and then a problem with the image, but today on generating a VM for a different drive for a different case the same error has happened again.

Has anyone experienced this problem before?

Thanks for any help!

Kady_Kady

Quote
Posted : 16/04/2009 7:51 pm
cdsforensic
(@cdsforensic)
New Member

KK,

I had a similar problem with VFC recently, but it turns out that the registry was corrupted on the image I was trying to boot from.

Are you trying to boot from an Encase or DD image? If so, can you browse to the registry and export it. Try looking at the individual registry files, particularly the SYSTEM hive to see if you can see the contents.

In the end, I was unable to get the system to "boot" due to serious registry problems.

I didn't have time to follow up with MD5, but it might be worth a phone call to see if they have any other ideas. All VFC does is read the registry and build a system profile, so if the registry is corrupt, there's probably not much that can be done.

Cheers,

CK

ReplyQuote
Posted : 16/04/2009 8:59 pm
Rich2005
(@rich2005)
Senior Member

Firstly, i'd give liveview a go (the new version copes with vista etc), sometimes liveview works when VFC doesnt, and vice versa.
Having said that i have a machine here that won't boot in either, and suspect its just the way the machine is set up, due to what hardware/driver conflict no doubt.
As for that particular error, i'm sure i've had it in the past, whether or not i got past it i can't remember i'm afraid. (I'm debating suggesting converting using FTKI to a flat image just in case - i have a feeling that worked for me once for no reason on a particular image - dont ask me why p)
I've yet to have cause to dig deeper much like cds.

ReplyQuote
Posted : 16/04/2009 9:04 pm
Kady_Kady
(@kady_kady)
New Member

Thanks Chaps!

Further Question - just before the first time I had the error our IT Manager did a Disk Clean on the standalone computer we use for our forensic analysis….any chance that something could have been altered during this -especially as the remote drives weren't connected to the PC while the disk clean was being carried out?

We keep all of our images on remote drives rather than the forensics machine (and yes they are .E01 files) so it seems really odd that I would get the same error on two different drives ….whaddya fink?

Is there a way to generate a new VM using VMWare Workstation? Could VFC be playing up because of licencing issues???? These are the questions rolling round in my head - wondering if I am even close! Quite worried that it could be corrupted images….

Thanks a mil,

KK

ReplyQuote
Posted : 16/04/2009 9:59 pm
Rich2005
(@rich2005)
Senior Member

You have E01 files. So simply re-verify them in EnCase, that'll report any CRC errors / MD5 mismatches. If they verify completely with no errors. Your evidence is fine.
And i doubt its the licensing issues you mention p

ReplyQuote
Posted : 16/04/2009 10:27 pm
cdsforensic
(@cdsforensic)
New Member

I agree wth Rich, it's unlikely to be an issue with the E01's or new OS install. As Rich suggests, re-verify the evidence files in EnCase.

Also, ensure you are running the latest version of VFC - download the update if necessary.

Get a drive from a PC in your office that you know works and see if you can generate a VM. Choose physical disk in VFC so that you don't have to image it.

Are you running VFC via a dongle or licence key?

Maybe there is some performance issue if you are trying to mount evidence files that are stored on a network share. Try copying the evidence files locally as a test to see if you encounter the same problems.

ReplyQuote
Posted : 17/04/2009 4:28 pm
Kady_Kady
(@kady_kady)
New Member

Thanks again! That sounds promising - will give that a bash next week when back in the office….

I am running VFC off a Dongle, and the PC I work off is on a standalone domain with no internet connection so I will download any VFC updates from my own PC and load across.

I'll keep you posted as to any success(es)!

Thanks a mil,

KK

ReplyQuote
Posted : 23/04/2009 3:00 pm
Kady_Kady
(@kady_kady)
New Member

Hiya…just some update info you might be interested in!

Re-verified the data in FTK Imager and the results came back fine - MD5 hash value matches and, best of all, no bad sectors.

Currently awaiting my new VFC licence to upgrade to version 1.2.4.3, but don't think that will do anything to actually solve my problem, but the licence is due to expire soon enough anyways.

Made a call into VFC this morning and spoke to the software author, Michael Penhallurick, who suggested that there is actually a problem with the host operating system. The reason for this was because the images I have been having problems with I had been able to virtualise before and now I can't. Michael suggests that if the problem had been with the images then I would never have been able to virtualise them in the first place. After re-verifying the drives and being certain now that there is no problem with the images, and also having uninstalled and re-installed the software there is now only one place left to look and that is the computer we use for our analysis and virtualisation.

So, it looks as though we will either have to perform a XP system restore and using any backup available that we had prior to the problems; or go right back to the beginning and start all over again…. 😯

Michael also gave some interesting and useful information about the setting up of a forensic "lab" computer…this might be old news to some, but new to other so thought I would share…especially as we are learning a hard lesson here now with our particular set-up…

When setting up a lab, set up the computer as a sterile machine with operating system only on it, then set up everything else using Norton Ghost, creating a 2nd partition for the analysis (recommends in total a machine with about 100GB of space). This then means that if there is a problem with e.g. the forensic software systems then to go back to the sterile state and reload will only take minutes, rather than days to complete a system re-build (as we will probably now need to do..) cry .

Any comments on this would be interesting! In the meantime I will keep you posted until a resolution has been found!

Thanks for everyone's comments so far - been really helpful!

Kady_Kady

ReplyQuote
Posted : 27/04/2009 7:54 pm
Share: