Hello,
I am trying to boot VMWare from a disk image acquired with dd. The imaged disk contains three partitions (the first one is a recovery partition, the second and third ones are NTFS partitions containing NTFS file systems). The bootable partition is the second one, on which Windows XP Professional is installed.
I've tried various methods to boot VMWare from this image, but I always get the "blu screen" error and the virtual machine reboots. To be more precise, I've tried
1) to mount the image with Image Pro and add it as a raw disk to VMWare
2) to use the techniques described in the Michael Penhallurick's paper published on Digital Investigation ("Methodologies for the use of VMWare to boot cloned/mounted subject hard disk images")
3) to use the techniques described in the VMWare discussion forum (http//
When possible, I've tried these techniques both with VMWare running on Linux and Windows as OS hosts. I all the cases, I always get the "blu screen" message saying that Windows cannot boot to avoid hardware damages, and suggesting to run chkfsk /F on the disk.
Did anybody experience the same problem?
Thanks in advance.
– Cosimo
Hi!
Well… first of all I have to say that I'm not giving you a solution, mainly because I have never used VMWare. The reason why I'm writing a reply is precisely because this subject seems very interesting to me! I have only used EnCase so far (to create a hard drive forensic image, and to analyze it afterwards), and it seems to me very interesting the possibility of booting up an imaged hard drive. I just wanted to know a couple of things
- Is VMWare free?
- If not, can an image be booted with any other piece of software?
Thanks in advance, and once more, congratulations for an interesting subject.
VMware has an issue with XP, non intel based chipsets, the paper on the issue can be found here.
http//
VMWARE player is free so if you can get someone to create a virtual machine or download an image of one, you can run it up yourself.
usefull links
http//
http//
http//
http//
Hello,cosimo.
I have the same problem.
and do some ways same as to you.
but problem is still there.
When you get the blue screen, insert your Windows installation boot disk. Reboot the Vmachine to the boot disk disk. Go through the process of installing the OS from scratch. The installation process will tell you it detects another Windows OS present and asks do you want to repair. Enter yes, let it repair any faults its picking up, and there you go…… It should work.
Andy
Hi perica,
yes, I agree with Andy's reply. I've been able to boot from a dd'ed image by following the indications reported in Brett Shaver's paper (http//www.forensicfocus.com/vmware-forensic-tool) to create a .vmdk disk from the dd'ed image, and then I have repaired the windows installation as reported by Andy. I have done this for a few dd'ed images, and the procedure constantly works with Windows XP and Windows 2000. I have had problems with Windows 98, that has not been able to reconfigure itself after booting the .vmdk cloned disk, and I didn't have the time to work on that. Did anybody succeed with Windows 98?
Cheers,
– Cosimo
Thanks cosimo and Andy.
- If not, can an image be booted with any other piece of software?
I have tried this booting off of an Encase image in Physical Disk Emulator mode but ran into problems. I wonder if using the Windows XP CD would help in this case as well.
Even though I have had tremendous success with VMware and MIP, I still get the occasional BSOD especially with laptop images that have been restored to a VM environment. Considerable registry analysis against cloned machines and vm created machines led me to realise that its not always just the presence of registry keys that are necessary - sometimes you may need to delete them too!
Make sure that the correct control set is applied - sometimes set 001 doesn't even exist - details of how to determine it are laid out in the pdf file.
Hope this is of help to some of you out there
There is a free tool from Sourceforge called Liveview. You can download it from
http//liveview.sourceforge.net/
It is by far, the most impressive way I have ever seen to restore an image to VMware. A total of 30 seconds after clicking about 5 buttons and the image boots up automatically into VMware. It has to be a DD image, however, using FTK imager (as an example), you can convert any E0 image you currently have to DD and boot it right up. Very very very nice.
Oh yeah, you can have a physical write block on your image (if you want), or you can choose to have it not write anything to the image (if you want), and even if you don't choose to protect the image from writes, the program won't write to it anyway. Several layers of protection to the original image.