Live_View/Output/hacking_case_dd.log

============================START============================
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\VMWare, Inc.
    Core        REG_SZ  VMware Workstation

Executing: [reg, query, "HKLM\SOFTWARE\VMware, Inc.\VMware Workstation", /v, InstallPath]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Workstation
    InstallPath REG_SZ  C:\Programme\VMware\VMware Workstation\

Executing: [reg, query, "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vmware-mount.exe", /v, Path]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vmware-mount.exe
    Path        REG_SZ  C:\Programme\VMware\VMware DiskMount Utility\

Live View 0.6
Host Operating System: Windows XP
Java Version: 1.6
VMWare Install Type: 0
VMWare Mount Path: C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe
Ram Size: 256
System Time: 06.09.2007 14:29:21
Guest OS: auto
Is Physical Disk: false
All numeric extensions
Sorted extensions numerically
Sorted Input Files [D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.001, D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.002, D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.003, D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.004]
vmrun path: C:\Programme\VMware\VMware Workstation\vmrun.exe
Mount Drive Letter: k
MBR Signature found: almost certainly have an mbr or partition (not garbagefile)
Writable File: D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.001
Writable File: D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.002
Writable File: D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.003
Writable File: D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.004
Output: Detected VMWare Workstation Installation

Output: Detected full disk image

Num Existing Snapshots 0
MBR Info:

33 c0 8e d0 bc 00 7c fb 50 07 50 1f fc be 1b 7c 
bf 1b 06 50 57 b9 e5 01 f3 a4 cb bd be 07 b1 04 
38 6e 00 7c 09 75 13 83 c5 10 e2 f4 cd 18 8b f5 
83 c6 10 49 74 19 38 2c 74 f6 a0 b5 07 b4 07 8b 
f0 ac 3c 00 74 fc bb 07 00 b4 0e cd 10 eb f2 88 
4e 10 e8 46 00 73 2a fe 46 10 80 7e 04 0b 74 0b 
80 7e 04 0c 74 05 a0 b6 07 75 d2 80 46 02 06 83 
46 08 06 83 56 0a 00 e8 21 00 73 05 a0 b6 07 eb 
bc 81 3e fe 7d 55 aa 74 0b 80 7e 10 00 74 c8 a0 
b7 07 eb a9 8b fc 1e 57 8b f5 cb bf 05 00 8a 56 
00 b4 08 cd 13 72 23 8a c1 24 3f 98 8a de 8a fc 
43 f7 e3 8b d1 86 d6 b1 06 d2 ee 42 f7 e2 39 56 
0a 77 23 72 05 39 46 08 73 1c b8 01 02 bb 00 7c 
8b 4e 02 8b 56 00 cd 13 73 51 4f 74 4e 32 e4 8a 
56 00 cd 13 eb e4 8a 56 00 60 bb aa 55 b4 41 cd 
13 72 36 81 fb 55 aa 75 30 f6 c1 01 74 2b 61 60 
6a 00 6a 00 ff 76 0a ff 76 08 6a 00 68 00 7c 6a 
01 6a 10 b4 42 8b f4 cd 13 61 61 73 0e 4f 74 0b 
32 e4 8a 56 00 cd 13 eb d6 61 f9 c3 49 6e 76 61 
6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 
62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e 
67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 
65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 
74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 2c 44 63 5d ec 5d ec 00 00 80 01 
01 00 07 fe bf 4f 3f 00 00 00 11 1e 91 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa 
Partition 1:
====================
Is Bootable: true
Begin Head: 1
Begin Cylinder: 0
Begin Sector: 1
Partition Type: 0x7
End Head: 254
End Cylinder: 591
End Sector: 63
Relative Sector: 63
Num Sectors: 9510417
Partition 2:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0
Partition 3:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0
Partition 4:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0

Created: E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001.vmx
#Static Values
config.version = "8"
virtualHW.version = "3"
floppy0.present = "FALSE"
displayName="SCHARDT-dd.001"

#Drive Info
ide0:0.present = "TRUE"
ide0:0.fileName = "E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001.vmdk"
ide0:0.deviceType = "disk"
ide0:0.mode = "persistent"
ide1:0.present = "TRUE"
ide1:0.fileName = "auto detect"
ide1:0.deviceType = "cdrom-raw"

#User Specified
memsize="256"
rtc.starttime="1189081761"
snapshot.disabled = "TRUE"


Created: E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001.vmdk
# Disk Descriptor File
version=1
CID=fffffffe
parentCID=ffffffff
createType="monolithicFlat"

# Extent description
RW 3051520 FLAT "D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.001" 0
RW 3051520 FLAT "D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.002" 0
RW 3051520 FLAT "D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.003" 0
RW 359700 FLAT "D:\evidence\CFReDS_Hacking_Case_hda_dd\SCHARDT-dd.004" 0
RW 3780 ZERO

#DDB - Disk Data Base
ddb.adapterType = "ide"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "254"
ddb.geometry.cylinders = "591"
ddb.virtualHWVersion = "3"

Output: Making image file(s) read-only at user's request

Output: Generating vmx file...

Output: Generating vmdk file...

Executing: [C:\Programme\VMware\VMware Workstation\vmrun.exe, snapshot, E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001.vmx, Original1189081810562]
External Proc Output: 
Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, /v:1, k:, E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001-000001.vmdk]
Output: Snapshot Created

External Proc Output: 
Output: Snapshot Mounted

Executing: [reg, load, HKLM\NEWSOFTWARE, k:\WINDOWS\system32\config\software]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: Software Hive Loaded

Executing: [reg, query, "HKLM\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion", /v, ProductName]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion
    ProductName REG_SZ  Microsoft Windows XP

Executing: [reg, query, "HKLM\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion", /v, SystemRoot]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion
    SystemRoot  REG_SZ  C:\WINDOWS

Executing: [reg, unload, HKLM\NEWSOFTWARE]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: Software Hive Unloaded

Added: guestOS="winXPPro" to E:\VMs\LiveView\Hacking_Case_hda\SCHARDT-dd.001.vmx
Driver Destination Location: k:\WINDOWS\system32\drivers
Output: Detected Microsoft Windows XP installation on image

Output: Added guest OS to vmx file

Output: Intel IDE Driver Already Exists On The System, Skipping Extraction

Output: Intel IDE Driver Ready

Executing: [reg, load, HKLM\NEWSYSTEM, k:\WINDOWS\system32\config\system]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Executing: [reg, query, "HKLM\NEWSYSTEM\Select", /v, Current]
Output: System Hive Loaded

External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSYSTEM\Select
    Current     REG_DWORD       0x1

Executing: [regedit, /s, C:\Programme\Live View\Resources\merge.reg.temp]
Output: Extracted Current Control Set Value: 1

External Proc Output: 
Output: Critical Device Database Updated

Executing: [reg, unload, HKLM\NEWSYSTEM]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: System Hive Unloaded

Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, k:, /d]
External Proc Output: 
Output: Snapshot Unmounted

Output: Bootable Partition 1: winXPPro prepared for launch

Output: The VMWare configuration files have been generated in your chosen output directory

User Closed Program Window
Stopped running processes
Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, k:, /f]
External Proc Output: The volume was not mounted by VMware-mount.  It may be a network driver or
it may have been mounted using another utility. It cannot be dismounted.

Executing: [reg, unload, HKLM\NEWSYSTEM]
External Proc Output: 
Error: Error:  Falscher Parameter.

Executing: [reg, unload, HKLM\NEWSOFTWARE]
External Proc Output: 
Error: Error:  Falscher Parameter.

Cleaned Up
Live_View/Output/hacking_case_dd.log (last edited 2009-06-08 10:19:29 by localhost)