Dear Experts,

I'm looking for an open source command line utility to copy pagefile, hiberfil and registry hives from a live system. It would be really grateful if someone can provide a tool which has the capability to perform this activity.

Please note: I'm looking only for a command line utility something which can be called using command prompt and also takes few input parameters.

Thanks in advance  

Command Line Versions of FTK Imager
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

For Registry (brand new and experimental), free but not Open Source:
reboot.pro/topic/20848-dumpreg/

For hiberfil (within limits it could work for Registry hives as well) this generic "direct disk access " approach might do nicely (and actually Open Source):
reboot.pro/topic/7400-...-possible/
github.com/jschicht/RawCopy

(I doubt that it is viable for pagefile.sys )

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

@Igor_Michailov : I was going through FTK cli but failed to find any command line option to extract registry hive from a live system.

@jaclaz : RawCopy is not letting me copy swapfile, pagefile and hiberfil. Dumpreg seems to be pretty interesting tool need to test it.

Still I'm stuck on copying swapfile, pagefile and hiberfil. Registry files can be copied using Rawcopy.

Is there any command line tool, command which will help me gather all the files based on extension in my external drive? something like copying C:\*.lnk X:\Link\

Any kind of help will be appreciated. Thanks in advance.  

"is not letting me" is not a description of what actually happens, do you get an error, nothing, the CMD window stuck, what?
Which OS are you trying it on?
Which EXACT command line did you use?

Maybe there is something else (permissions, privileges,*whatever*) that is making Rawcopy fail for hiberfil.

In theory hiberfil is a file generated when hibernation is chosen, so what you find on disk should be accessible (with direct disk access) and "static", i.e. be representing "last time OS was hibernated".

Pagefile is instead likely to be dinamically accessed/changed, so - particularly if it is not set to "fixed size" aka set as "let Windows manage it" it is very possible that even if direct disk access work what you get is not what it was at the time you issued the copy command.

But Volume Shadow Copy should work anyway (and it will obviously be a "snapshot").

Since both are "System files", it is also possible that some other technique (like using MFTRCRD to get their $MFT index and extents) is needed for them.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

@jaclaz, The error that I'm getting while executing the command is
"Error: NtOpenFile returned: 0xC0000043 Opening target file failed, now re-trying with INDX method from parent folder. Error: Cannot get IndexNumber of parent folder."

Command used: rawcopy64.exe C:\pagefile.sys C:\Test_Temp\Output\

Live system, windows8 (64bit architecture)

Any help would be appreciated. Thanks in advance.  

It is likely that pagefile.sys is "in use", i.e. "hooked" by a system process.

If this is the case, it is a "special case" and most of the tools mentioned will choke on it and something like an "offline NTFS $MFT and cluster run parser" would be needed to get the extents of the file (which then could be copied through direct disk access).

Joakims often happens around here, maybe he has an idea of a procedure using one of his tools (or maybe he might be able to put together yet another tool) in any case I will let erwan.l (Author of Dumpreg but also of some other disk related tools) know about the issue, he might have the time/will to modify his extents tool for this use.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -