Hi!
I got an Encase image from a XP suspect disk of 80gb. I restored the suspect image on a virtual disk using the method “Encase in vmware”. I got no problem to create the clone in a virtual disk. When I boot the virtual machine, I got a BSOD with an error 7B (mass storage problem) after the XP screen showed about 1 second.
First thing I tried is to mount on my physical computer the suspect image using “Encase emulated drive”. After, I took LiveView 0.7b and boot my emulated disk. Everything work fine! Now, I'm sure this image can be mount and use in vmware.
Back in my virtual machine, I change in my VMX, the line “scsi0.present=TRUE” to “scsi0.present=FALSE”, the same result happen.
I boot my virtual machine with an ISO of windows XP SP3, no repair option.
I boot my virtual machine with an ISO of windows XP SP2, no repair option, only recovery consol.
In the recovery consol, I tried “disable pciide”, doesn't work.
I tried to take the vmx files option created by Liveview and changed the option for my disk, doesn'T work either.
Anyone have an idea why I'm able to boot with Liveview and an Encase emulated disk and not with a restore on a virtual disk made inside a virtual machine?
Best regards,
Charles
?
Have you tried re-acquiring the image to raw/dd format and then using LiveView?
Try OpenGates (
Hi!
It was my next move tocobert my E01 to DD to use liveview.
Thanks for Opengates, first times I heard about. Sure I will make a try.
But I still want to know why I'm able to boot with Liveview and an Encase emulated disk and not with a restore on a virtual disk made inside a virtual machine?
Hope someone will have a piece of answer
Anyone have an idea why I'm able to boot with Liveview and an Encase emulated disk and not with a restore on a virtual disk made inside a virtual machine?
Not without looking very carefully at the boot drive that failed to boot. Chances are the restore did not do exactly what you expected, or that you did not set up things to work correctly. The 'encase in vmware' method you mention does not mean anything to me … where is this method documented? Have you used it successfully before?
I mean, VMWare allows you to emulate quite a lot of hardware … so the method has to ensure that you select the right emulated hardware for the job … I am assuming you haven't restored an ATA drive image to an emulated SCSI drive, for example. And also that you are running the latest VMWare Desktop.
LiveView does all that for you automagically … so Iwould suggest you compare the emulated drive that LiveView set up for you, with the drive that you set up using the method you mention. Is there any difference? If so, what? And does that difference explain the problem?
And on the topic of creating vmdk drives, you might also want to check out the raw2vmdk tool on sourceforge. I've tried it in a couple of cases where LiveView failed to do the job, and it has not let me down so far.
Also, check these PDFs - they have been very helpful. thanks to the authors Michael A. Penhallurick and Dave Shaver (realize I posted these lately and want to make sure they get the props)
Hey Charles,
You will need to use LiveView or similar to create the virtual machine. You get a BSOD when you try a direct conversion to a virtual machine because a lot of the physical hardware from the original machine is different to yours. VMWare is so efficient at running VMs because it allows them to address low level hardware directly, but this is a problem if it is sending instructions to hardware different to what it thinks is there.
Without using live view, the OS may still think (ie in the registry), for instance that it is addressing an AMD processor from the original machine rather than an Intel processor in yours and be using the wrong instruction sets. Live View, from memory (its been a while), goes in and alters the registry, to reflect the hardware configuration of the host so that it can boot. Look at the Live View logs to get a better understanding at what is being changed for your VM and you can probably do it manually yourself to achieve the same result.
Thanks everybody!
I learned a lot from your comments. The pdfs files was greated.
I think the best way to relsove my problem is to convert Encase image in DD and use Liveview.
Thanks everybody!
That's another solution, but isn't forensically compliant cry
http//