Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

VM Launch Failed

Steve K
2011-04-21
2014-05-21
  • Steve K
    Steve K
    2011-04-21

    I have not been able to get LiveView to work.  I have attempted to use RAW image files as the source, and I have tried to use a physical drive as the source by mounting the E01 image from EnCase as an Emulated Disk.  Regardless of the method, LiveView dislays errors.  Here is the MostRecentRun.log file from my last attempt where I selected 26 RAW files as the source files.  Any help would be greatly appreciated.  Thanks!!

    ============================START============================
    External Proc Output: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Virtual Disk Development Kit
        InstallPath    REG_SZ    C:\Program Files (x86)\VMware\VMware Virtual Disk Development Kit\

    External Process Error:
    Live View 0.7b
    Host Operating System: Windows 7
    Java Version: 1.6
    Executing:
    External Proc Output: HKEY_LOCAL_MACHINE\SOFTWARE\VMWare, Inc.
        Core    REG_SZ    VMware Server Standalone

    External Process Error:
    Executing:
    External Proc Output: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Server
        InstallPath    REG_SZ    C:\Program Files (x86)\VMware\VMware Server\

    External Process Error:
    VMWare Install Type: 1
    VMWare Mount Path: C:\Program Files (x86)\VMware\VMware Virtual Disk Development Kit\bin\vmware-mount.exe
    Executing:
    External Proc Output:
    External Process Error: ERROR: The system was unable to find the specified registry key or value.

    Clear Passwords: true
    Dump Hives: true
    Ram Size: 512
    System Time: mar 3, 2011 9:16:55 AM
    Guest OS: auto
    Is Physical Disk: false
    All numeric extensions
    Sorted extensions numerically
    Sorted Input Files
    vmrun path: C:\Program Files (x86)\VMware\VMware Server\..\VMware VIX\vmrun.exe
    Mount Drive Letter: k
    MBR Signature found: almost certainly have an mbr or partition (not garbagefile)
    Num Existing Snapshots 0
    MBR Info:

    33 ff be 00 02 8e d7 bc 00 7a bb a0 07 8b ce 8e
    db 8e c3 f3 a4 ea 5f 00 a0 07 10 00 01 00 00 7a
    00 00 00 00 00 00 00 00 00 00 8b f5 b1 04 38 64
    04 74 0d 38 44 04 74 08 83 c6 10 e2 f1 e9 aa 00
    bb 0e 00 ff 30 ff 31 8f 00 8f 01 80 eb 02 73 f3
    c3 ac 0a c0 74 fa b4 0e bb 07 00 cd 10 eb f2 bd
    be 01 bf ce 01 b8 0b 12 e8 bf ff c6 05 80 c6 45
    04 0b 8b fd b8 0c 07 e8 b0 ff c6 05 00 c6 45 14
    12 c6 45 10 00 f6 06 43 01 04 75 3d f6 06 43 01
    02 75 3c b4 01 cd 16 75 23 8a 16 42 01 0a d2 74
    2e fe ca 78 2a 36 8a 0e 6c 04 80 c1 12 b4 01 cd
    16 75 09 36 3a 0e 6c 04 75 f3 eb e5 b4 00 cd 16
    3c 72 74 05 80 fc 44 75 06 c6 45 10 80 eb 0a c6
    05 80 f6 06 43 01 10 74 04 c6 45 14 0b f6 06 43
    01 40 74 06 be ce 01 e8 56 ff b1 04 8b fd 80 3d
    80 74 19 83 c7 10 e2 f6 8b 36 46 01 e8 52 ff 8b
    36 48 01 e8 4b ff b4 00 cd 16 cd 18 80 26 43 01
    f9 b8 00 43 b2 80 be 1a 00 cd 13 72 db 66 8b 5d
    08 66 89 1e 22 00 c6 06 1f 00 7c b4 42 cd 13 72
    c7 81 3e fe 03 55 aa 8b 36 44 01 75 bf ea 00 7c
    00 00 01 51 4c 01 69 01 86 01 97 01 0d 0a 4d 69
    73 73 69 6e 67 20 6f 70 65 72 61 74 69 6e 67 20
    73 79 73 74 65 6d 0d 0a 00 0d 0a 4d 61 73 74 65
    72 20 42 6f 6f 74 20 52 65 63 6f 72 64 20 45 72
    72 6f 72 0d 0a 00 0d 0a 50 72 65 73 73 20 61 20
    6b 65 79 2e 0d 0a 00 20 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 42 01 94 9f e0 c6 00 00 00 01
    01 00 0b ef bf da 3f 00 00 00 71 a6 a8 00 80 00
    81 db 07 ef ff ff b0 a6 a8 00 b0 0e 01 04 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa
    Partition 1:
    ====================
    Is Bootable: false
    Begin Head: 1
    Begin Cylinder: 0
    Begin Sector: 1
    Partition Type: 0xb
    End Head: 239
    End Cylinder: 730
    End Sector: 63
    Relative Sector: 63
    Num Sectors: 11052657
    Partition 2:
    ====================
    Is Bootable: true
    Begin Head: 0
    Begin Cylinder: 731
    Begin Sector: 1
    Partition Type: 0x7
    End Head: 239
    End Cylinder: 1023
    End Sector: 63
    Relative Sector: 11052720
    Num Sectors: 67178160
    Partition 3:
    ====================
    Is Bootable: false
    Begin Head: 0
    Begin Cylinder: 0
    Begin Sector: 0
    Partition Type: 0x0
    End Head: 0
    End Cylinder: 0
    End Sector: 0
    Relative Sector: 0
    Num Sectors: 0
    Partition 4:
    ====================
    Is Bootable: false
    Begin Head: 0
    Begin Cylinder: 0
    Begin Sector: 0
    Partition Type: 0x0
    End Head: 0
    End Cylinder: 0
    End Sector: 0
    Relative Sector: 0
    Num Sectors: 0

    Created: G:\10-011101\Temp\compaqRAW.001.vmx
    #Static Values
    config.version = "8"
    virtualHW.version = "3"
    floppy0.present = "FALSE"
    displayName="compaqRAW.001"

    #Drive Info
    ide0:0.present = "TRUE"
    ide0:0.fileName = "G:\10-011101\Temp\compaqRAW.001.vmdk"
    ide0:0.deviceType = "disk"
    ide0:0.mode = "persistent"
    ide1:0.present = "TRUE"
    ide1:0.fileName = "auto detect"
    ide1:0.deviceType = "cdrom-raw"

    #User Specified
    memsize="512"
    rtc.starttime="1299165415"
    tools.syncTime="FALSE"
    time.syncronized.continue="FALSE"
    time.syncronized.restore="FALSE"
    time.syncronized.resume.disk="FALSE"
    time.syncronized.resume.memory="FALSE"
    time.syncronized.shrink="FALSE"

    Created: G:\10-011101\Temp\compaqRAW.001.vmdk
    # Disk Descriptor File
    version=1
    CID=fffffffe
    parentCID=ffffffff
    createType="monolithicFlat"

    # Extent description
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.001" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.002" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.003" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.004" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.005" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.006" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.007" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.008" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.009" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.010" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.011" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.012" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.013" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.014" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.015" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.016" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.017" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.018" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.019" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.020" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.021" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.022" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.023" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.024" 0
    RW 3072000 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.025" 0
    RW 1442976 FLAT "S:\10-011101\Compaq RAW Image\compaqRAW.026" 0
    RW 12096 ZERO

    #DDB - Disk Data Base
    ddb.adapterType = "ide"
    ddb.geometry.sectors = "63"
    ddb.geometry.heads = "239"
    ddb.geometry.cylinders = "1023"
    ddb.virtualHWVersion = "3"

    Executing:
    Output: Detected VMWare Server Installation

    Output: Detected full disk image

    Output: Generating vmx file…

    Output: Generating vmdk file…

    External Proc Output: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
        Common AppData    REG_SZ    C:\ProgramData

    External Process Error:
    Path TO VMServer vm-list: C:\ProgramData\VMware\VMware Server\vm-list
    String to add: config "G:\10-011101\Temp\compaqRAW.001.vmx"
    vmx was already in vm-list, skipping append
    Executing:
    Output: VMX added to VMWare Server Config

    External Proc Output:
    External Process Error:
    Output: Snapshot Created

    Executing:
    External Proc Output:
    External Process Error:
    Output: Snapshot Mounted

    Executing:
    External Proc Output: The operation completed successfully.

    External Process Error:
    Executing:
    Output: Software Hive Loaded

    External Proc Output: HKEY_LOCAL_MACHINE\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion
        ProductName    REG_SZ    Microsoft Windows XP

    External Process Error:
    Executing:
    External Proc Output: HKEY_LOCAL_MACHINE\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion
        SystemRoot    REG_SZ    C:\WINDOWS

    External Process Error:
    Executing:
    External Proc Output: The operation completed successfully.

    External Process Error:
    Output: Software Hive Unloaded

    Added: guestOS="winXPPro" to G:\10-011101\Temp\compaqRAW.001.vmx
    Hive Directory: k:\WINDOWS\system32\config\
    Output: Detected Microsoft Windows XP installation on image

    Output: Added guest OS to vmx file

    SAM Location: k:\WINDOWS\system32\config\SAM
    Output: SAM and SYSTEM Hives Successfully Extracted Into Output Directory

    Driver Destination Location: k:\WINDOWS\system32\drivers
    Output: Passwords Cleared For The Following Users:

    Output: compaq_owner, aspnet, support_388945a0, helpassistant, administrator, guest, support_fddfa904

    Output: Intel IDE Driver Already Exists On The System, Skipping Extraction

    Executing:
    Output: Intel IDE Driver Ready

    External Proc Output: The operation completed successfully.

    External Process Error:
    Executing:
    Output: System Hive Loaded

    External Proc Output: HKEY_LOCAL_MACHINE\NEWSYSTEM\Select
        Current    REG_DWORD    0x1

    External Process Error:
    Output: Extracted Current Control Set Value: 1

    Executing:
    External Proc Output:
    External Process Error:
    Executing:
    Output: Critical Device Database Updated

    External Proc Output: The operation completed successfully.

    External Process Error:
    Output: System Hive Unloaded

    Executing:
    External Proc Output: Unable to dismount volume.
    To forcibly dismount the volume, use the /f option.

    External Process Error:
    Error: Snapshot Unmount Failed
    Error: Problem preparing partition2 for launch
    Output: VM Launch Failed

    User Closed Program Window
    Stopped running processes
    Executing:
    External Proc Output:
    External Process Error:
    Executing:
    External Proc Output:
    Error: ep: ERROR: The parameter is incorrect.

    Executing:
    External Proc Output:
    Error: ep: ERROR: The parameter is incorrect.

    Cleaned Up

     
    • Rick Lin
      Rick Lin
      2014-05-21

      I've been using LiveView for Live forensics for a long time. I suggest you use VMWare workstation 7 or 8 or 9. And use FTK Imager or Mount Image Pro to mount the evidence. Make sure you could see the disk on LiveView's "physicsl disk" drop-down menu.

      Also,if there is something wrong when VM try to initialize, and LiveView stop working. Trust me,sometimes it behave like this,but the config(vmx) and snapshot is ok. You could edit the vmx and boot the vm. There is still goold chance to boot it. It like you choose LiveView to generate config and snapshot only. Then you boot vm manaualy.