Afternoon everybody, here is a lovely puzzle to keep you all going on a Friday afternoon (late morning for all our American cousins) )
Basically I am trying to create a Virtual Machine via VFC2. But its getting to 82% and erroring out saying "cannot create disk"
I've done some googling, but VFC seems to have many various errors and non specific to this, so I will give you as much info as possible and see if anybody has any ideas / clues as to getting around it!
Firstly, the setup
-Windows 7 Ultimate x64
-Virtual Disk created / mounted with EnCase 6.17
-VFC2 (with Dongle)
-VMWare Player 3.1.0
What I have done thus far
-Mounted image (as above with EnCase)
-Opened VFC2 and selected the bootable partition (i.e. C\)
-VFC2 recognised it as Windows Vista Home
-Clicked Generate VM
-82% and crapped out! (erm I mean errored!) ?
This is the the log file VMWare created
Fri Sep 03 2010, 160753 vfc2| Generate VM
Fri Sep 03 2010, 160755 vfc2| Creating Virtual Machine Configuration file
Fri Sep 03 2010, 160756 vfc2| Creating Virtual Disk Descriptor file
Fri Sep 03 2010, 160757 vfc2| Creating virtual disk snapshot
Fri Sep 03 2010, 160758 vfc2| Mounting snapshot
Fri Sep 03 2010, 160759 vfc2| Validating selected volume
Fri Sep 03 2010, 160800 vfc2| Loading system hive for patching
Fri Sep 03 2010, 160813 vfc2| Patching system hive
Fri Sep 03 2010, 160814 vfc2| Extracting driver files
Fri Sep 03 2010, 160815 vfc2| VFC has detected a potential issue with the presence of a Synaptics TouchPad driver - attempting to rectify
Fri Sep 03 2010, 160815 vfc2| Disabled SynTP Service for ControlSet001
Fri Sep 03 2010, 160815 vfc2| Enabled Standard Mouse Service for ControlSet001
Fri Sep 03 2010, 160815 vfc2| Disabled SynTP Service for ControlSet002
Fri Sep 03 2010, 160815 vfc2| Enabled Standard Mouse Service for ControlSet002
Fri Sep 03 2010, 160815 vfc2| Unloading system hive
Fri Sep 03 2010, 160817 vfc2| Identified Non-Standard Master Boot Record
Fri Sep 03 2010, 160818 vfc2| Dismounting snapshot
Fri Sep 03 2010, 160840 vfc2| VM configuration generated
I have to note I am doing for this for a colleague and was only informed it was a laptop after this, which leads to me obviosuly think that the problem stems from here
" VFC has detected a potential issue with the presence of a Synaptics TouchPad driver - attempting to rectify "
But I don't see why it should just fall right over with this as you can plug mouses into laptops, so it should not matter if it can't find/generate the TouchPad? (I do not know what the make / model of the laptop is either, sorry!)
So that's basically where I am, and its 430 on a Friday afternoon, the sun is shining… you get the picture… I'm outta here! )
Any help or hints if anybody has seen anything similar with this, could we remove the registry settings for the TouchPad? Is there VMWare updates for TouchPads? I dunno? Maybe its just not possible to get around this?
Thanks for reading and like the nerd I am, I will be at home checking this later (on a Friday night… man I need to get out more!)
Have a good weekend!
4Rensics
Looking at the log file you provided, I'd be more inclined to think that this had something to do with the "non-standard MBR" than the driver issue.
Also, taking a look at the web page for VFC2
- There's no indication that Win7 is supported
- It pretty clearly states that EnCase isn't needed; have you tried running this process without EnCase?
A couple of thoughts
- What are you trying to achieve?
- Have you tried LiveView?
I'm with Harlan on this one. My first thought is to just try cutting the Gordian Knot with LiveView.
If that fails, you can go back to the brain scrambling troubleshooting. )
Few Questions
Confused a little - did you create a VMDK "Virtual Disk created"? What was the original image format of the disk image?
To clarify you are using the EnCase PDE module to mount the image?
Did you get Diskmount 5.5 installed on Win7 64? Recall that not working on that OS but required for VFC.
Are you trying to create a bootable VM from a disk image? Is it imperative to use VFC?
As Harlan and Eric said - LiveView might be good alternative. Can work with DD images, mounted images or physical disks.
VFCv2 certainly does work with Windows 7, so that shouldn't be the issue. Also, it requires seperate software to mount the image - if you choose the "E01" option from the program itself, it just attempts to run Mount Image Pro in the background.. which can be frustrating if you don't have that software. )
Regarding the synaptics driver, IIRC that particular driver is especially troublesome in Virtual Machines - hence VFCv2 attempts to rectify it.
What is the OS of your image? Is there anything odd about the MBR? 4k clusters maybe?
Finally, you could try emailing the creator (Michael Penhallurick) about it - he is usually quite good at responding to problems.
Interestingly we have had trouble trying to get a W2000 server VM going with VFC2 when one of the team said "just use VFC1 that has worked for me when VFC2 didn't".
He was right, VM created and started without any problem!
Worth a try.
H
Hi,
Sorry for not getting back, been busy.
To answer why were are using live view, basically been told there is something on this disc, but we can't find it, so trying to replicate what the user is seeing. But I can understand that if we can't find it view EnCase and keyword searches etc its probably not that, so its more of a last resort for our own sake to say we have tried everything.
My colleague did get this working on another PC in the office that had the license for Mount Image Pro (I don't hence the reason I had to use EnCase to mount the image as a virtual machine) I think there could be a link between the two as I can not see any other reason as to why it would fail. I don't see Win7 being a problem as VFC & VMWare both place nice on my machine!
Possibly something I should look into in the future if I get a licence for MIP. I could try mounting an E01 image with both and opening in VFC and see if they work or not, it would certainly eliminate the image I used if MIP loads it and EnCase doesn't.
Thanks for the replies.
Just a thought, could you not also convert the E01 image to a raw/DD image thereby eliminating the requirement to mount it before creating a VM from it? This is what I generally do before using either VFC or LiveView. I understand this creates a storage issue for a duplicate image but then there are less programs running to get it working.