±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 162

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

HELP: Need to Copy locked windows files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

The-Game
Member
 

HELP: Need to Copy locked windows files

Post Posted: Nov 28, 15 19:28

Dear Experts,

I'm looking for an open source command line utility to copy pagefile, hiberfil and registry hives from a live system. It would be really grateful if someone can provide a tool which has the capability to perform this activity.

Please note: I'm looking only for a command line utility something which can be called using command prompt and also takes few input parameters.

Thanks in advance Wink  
 
  

Igor_Michailov
Senior Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 28, 15 19:37

Command Line Versions of FTK Imager
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 
 
  

jaclaz
Senior Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 28, 15 22:07

For Registry (brand new and experimental), free but not Open Source:
reboot.pro/topic/20848-dumpreg/

For hiberfil (within limits it could work for Registry hives as well) this generic "direct disk access " approach might do nicely (and actually Open Source):
reboot.pro/topic/7400-...-possible/
github.com/jschicht/RawCopy

(I doubt that it is viable for pagefile.sys Confused )

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

The-Game
Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 29, 15 13:37

@Igor_Michailov : I was going through FTK cli but failed to find any command line option to extract registry hive from a live system.

@jaclaz : RawCopy is not letting me copy swapfile, pagefile and hiberfil. Dumpreg seems to be pretty interesting tool need to test it.

Still I'm stuck on copying swapfile, pagefile and hiberfil. Registry files can be copied using Rawcopy.

Is there any command line tool, command which will help me gather all the files based on extension in my external drive? something like copying C:\*.lnk X:\Link\

Any kind of help will be appreciated. Thanks in advance.  
 
  

jaclaz
Senior Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 29, 15 17:19

"is not letting me" is not a description of what actually happens, do you get an error, nothing, the CMD window stuck, what?
Which OS are you trying it on?
Which EXACT command line did you use?

Maybe there is something else (permissions, privileges,*whatever*) that is making Rawcopy fail for hiberfil.

In theory hiberfil is a file generated when hibernation is chosen, so what you find on disk should be accessible (with direct disk access) and "static", i.e. be representing "last time OS was hibernated".

Pagefile is instead likely to be dinamically accessed/changed, so - particularly if it is not set to "fixed size" aka set as "let Windows manage it" it is very possible that even if direct disk access work what you get is not what it was at the time you issued the copy command.

But Volume Shadow Copy should work anyway (and it will obviously be a "snapshot").

Since both are "System files", it is also possible that some other technique (like using MFTRCRD to get their $MFT index and extents) is needed for them. Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

The-Game
Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 30, 15 13:52

@jaclaz, The error that I'm getting while executing the command is
"Error: NtOpenFile returned: 0xC0000043 Opening target file failed, now re-trying with INDX method from parent folder. Error: Cannot get IndexNumber of parent folder."

Command used: rawcopy64.exe C:\pagefile.sys C:\Test_Temp\Output\

Live system, windows8 (64bit architecture)

Any help would be appreciated. Thanks in advance. Smile  
 
  

jaclaz
Senior Member
 

Re: HELP: Need to Copy locked windows files

Post Posted: Nov 30, 15 15:48

It is likely that pagefile.sys is "in use", i.e. "hooked" by a system process.

If this is the case, it is a "special case" and most of the tools mentioned will choke on it and something like an "offline NTFS $MFT and cluster run parser" would be needed to get the extents of the file (which then could be copied through direct disk access).

Joakims often happens around here, maybe he has an idea of a procedure using one of his tools (or maybe he might be able to put together yet another tool) in any case I will let erwan.l (Author of Dumpreg but also of some other disk related tools) know about the issue, he might have the time/will to modify his extents tool for this use.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next