Live_View/Output/hacking_case_dd_hda1.log

============================START============================
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\VMWare, Inc.
    Core        REG_SZ  VMware Workstation

Executing: [reg, query, "HKLM\SOFTWARE\VMware, Inc.\VMware Workstation", /v, InstallPath]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Workstation
    InstallPath REG_SZ  C:\Programme\VMware\VMware Workstation\

Executing: [reg, query, "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vmware-mount.exe", /v, Path]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vmware-mount.exe
    Path        REG_SZ  C:\Programme\VMware\VMware DiskMount Utility\

Live View 0.6
Host Operating System: Windows XP
Java Version: 1.6
VMWare Install Type: 0
VMWare Mount Path: C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe
Ram Size: 256
System Time: 10.09.2005 12:34:37
Guest OS: auto
Is Physical Disk: false
All numeric extensions
Sorted extensions numerically
Sorted Input Files [D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.001, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.002, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.003, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.004, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.005]
vmrun path: C:\Programme\VMware\VMware Workstation\vmrun.exe
Mount Drive Letter: k
MBR Signature found: almost certainly have an mbr or partition (not garbagefile)
Num Existing Snapshots 0
Size of partition (bytes): 4869333504
Exception: Live View cannot auto detect the OS for partition images. Please select the image OS and try again.
Error: Live View cannot auto detect the OS for partition images. Please select the image OS and try again.
Error: Image could not be launched in the VM.
Output: Detected VMWare Workstation Installation

Output: Detected Partition Image

Ram Size: 256
System Time: 10.09.2005 12:34:37
Guest OS: winXPPro
Is Physical Disk: false
All numeric extensions
Sorted extensions numerically
Sorted Input Files [D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.001, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.002, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.003, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.004, D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.005]
vmrun path: C:\Programme\VMware\VMware Workstation\vmrun.exe
Mount Drive Letter: k
MBR Signature found: almost certainly have an mbr or partition (not garbagefile)
Num Existing Snapshots 0
Size of partition (bytes): 4869333504
Using Generic Windows MBR for non-win98/me
MBR Info:

33 c0 8e d0 bc 00 7c fb 50 07 50 1f fc be 1b 7c 
bf 1b 06 50 57 b9 e5 01 f3 a4 cb bd be 07 b1 04 
38 6e 00 7c 09 75 13 83 c5 10 e2 f4 cd 18 8b f5 
83 c6 10 49 74 19 38 2c 74 f6 a0 b5 07 b4 07 8b 
f0 ac 3c 00 74 fc bb 07 00 b4 0e cd 10 eb f2 88 
4e 10 e8 46 00 73 2a fe 46 10 80 7e 04 0b 74 0b 
80 7e 04 0c 74 05 a0 b6 07 75 d2 80 46 02 06 83 
46 08 06 83 56 0a 00 e8 21 00 73 05 a0 b6 07 eb 
bc 81 3e fe 7d 55 aa 74 0b 80 7e 10 00 74 c8 a0 
b7 07 eb a9 8b fc 1e 57 8b f5 cb bf 05 00 8a 56 
00 b4 08 cd 13 72 23 8a c1 24 3f 98 8a de 8a fc 
43 f7 e3 8b d1 86 d6 b1 06 d2 ee 42 f7 e2 39 56 
0a 77 23 72 05 39 46 08 73 1c b8 01 02 bb 00 7c 
8b 4e 02 8b 56 00 cd 13 73 51 4f 74 4e 32 e4 8a 
56 00 cd 13 eb e4 8a 56 00 60 bb aa 55 b4 41 cd 
13 72 36 81 fb 55 aa 75 30 f6 c1 01 74 2b 61 60 
6a 00 6a 00 ff 76 0a ff 76 08 6a 00 68 00 7c 6a 
01 6a 10 b4 42 8b f4 cd 13 61 61 73 0e 4f 74 0b 
32 e4 8a 56 00 cd 13 eb d6 61 f9 c3 49 6e 76 61 
6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 
62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e 
67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 
65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 
74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 2c 44 63 f4 c1 f4 c1 00 00 80 01 
01 00 07 ff bf 4f 3f 00 00 00 11 1e 91 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa 
Partition 1:
====================
Is Bootable: true
Begin Head: 1
Begin Cylinder: 0
Begin Sector: 1
Partition Type: 0x7
End Head: 255
End Cylinder: 591
End Sector: 63
Relative Sector: 63
Num Sectors: 9510417
Partition 2:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0
Partition 3:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0
Partition 4:
====================
Is Bootable: false
Begin Head: 0
Begin Cylinder: 0
Begin Sector: 0
Partition Type: 0x0
End Head: 0
End Cylinder: 0
End Sector: 0
Relative Sector: 0
Num Sectors: 0

Created: E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001.vmx
#Static Values
config.version = "8"
virtualHW.version = "3"
floppy0.present = "FALSE"
displayName="Dell_Latitude_CPi_hda1.001"

#Drive Info
ide0:0.present = "TRUE"
ide0:0.fileName = "E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001.vmdk"
ide0:0.deviceType = "disk"
ide0:0.mode = "persistent"
ide1:0.present = "TRUE"
ide1:0.fileName = "auto detect"
ide1:0.deviceType = "cdrom-raw"

#User Specified
memsize="256"
rtc.starttime="1126348477"
guestOS="winXPPro"
snapshot.disabled = "TRUE"


Created: E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001.vmdk
# Disk Descriptor File
version=1
CID=fffffffe
parentCID=ffffffff
createType="monolithicFlat"

# Extent description
RW 63 FLAT "E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001.mbr" 0
RW 2048000 FLAT "D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.001" 0
RW 2048000 FLAT "D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.002" 0
RW 2048000 FLAT "D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.003" 0
RW 2048000 FLAT "D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.004" 0
RW 1318417 FLAT "D:\evidence\CFReDS_Hacking_Case_hda1_dd\Dell_Latitude_CPi_hda1.005" 0
RW 1982783920 ZERO

#DDB - Disk Data Base
ddb.adapterType = "ide"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "255"
ddb.geometry.cylinders = "591"
ddb.virtualHWVersion = "3"

Output: Detected VMWare Workstation Installation

Output: Detected Partition Image

Output: Generating vmx file...

Output: Generating vmdk file...

Executing: [C:\Programme\VMware\VMware Workstation\vmrun.exe, snapshot, E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001.vmx, Original1189398944078]
External Proc Output: 
Output: Snapshot Created

Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, /v:1, k:, E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001-000001.vmdk]
External Proc Output: 
Output: Snapshot Mounted

Executing: [reg, load, HKLM\NEWSOFTWARE, k:\WINDOWS\system32\config\software]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: Software Hive Loaded

Executing: [reg, query, "HKLM\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion", /v, SystemRoot]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSOFTWARE\Microsoft\Windows NT\CurrentVersion
    SystemRoot  REG_SZ  C:\WINDOWS

Executing: [reg, unload, HKLM\NEWSOFTWARE]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: Software Hive Unloaded

Driver Destination Location: k:\WINDOWS\system32\drivers
Output: Intel IDE Driver Already Exists On The System, Skipping Extraction

Output: Intel IDE Driver Ready

Executing: [reg, load, HKLM\NEWSYSTEM, k:\WINDOWS\system32\config\system]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Executing: [reg, query, "HKLM\NEWSYSTEM\Select", /v, Current]
Output: System Hive Loaded

External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSYSTEM\Select
    Current     REG_DWORD       0x1

Output: Extracted Current Control Set Value: 1

Executing: [regedit, /s, C:\Programme\Live View\Resources\merge.reg.temp]
External Proc Output: 
Snapshot Location: E:\VMs\LiveView\Hacking_Case_hda1\Dell_Latitude_CPi_hda1.001-000001.vmdk
Executing: [reg, query, "HKLM\NEWSYSTEM\Select", /v, Current]
Output: Critical Device Database Updated

Output: Keeping mounted snapshot open and registry loaded for partition

Output: Bootable Partition 1: winXPPro prepared for launch

External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSYSTEM\Select
    Current     REG_DWORD       0x1

Executing: [reg, query, "HKLM\NEWSYSTEM\ControlSet001\Control\ContentIndex", /v, DllsToRegister]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSYSTEM\ControlSet001\Control\ContentIndex
    DllsToRegister      REG_MULTI_SZ    C:\WINDOWS\System32\query.dll\0C:\WINDOWS\System32\ciadmin.dll\0C:\WINDOWS\System32\ixsso.dll\0C:\WINDOWS\System32\nlhtml.dll\0C:\WINDOWS\System32\offfilt.dll\0C:\WINDOWS\System32\ciodm.dll\0C:\WINDOWS\System32\infosoft.dll\0C:\WINDOWS\System32\mimefilt.dll\0C:\WINDOWS\System32\LangWrbk.dll\0\0

Output: Got bootable partition drive letter mapping: C

Executing: [reg, query, "HKLM\NEWSYSTEM\MountedDevices\", /v, \DosDevices\C:]
External Proc Output: ! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\NEWSYSTEM\MountedDevices
    \??\Volume{aa630441-f1ff-11d8-8a13-806d6172696f}    REG_BINARY      5C003F003F005C0049004400450023004300640052006F006D0054004F00530048004900420041005F00430044002D0052004F004D005F0058004D002D00310039003000320042005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0031004100310035005F005F005F005F002300350026003300350063003600630061003100310026003000260030002E0030002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{aa630442-f1ff-11d8-8a13-806d6172696f}    REG_BINARY      5DEC5DEC007E000000000000
    \DosDevices\C:      REG_BINARY      5DEC5DEC007E000000000000
    \DosDevices\D:      REG_BINARY      5C003F003F005C0049004400450023004300640052006F006D0054004F00530048004900420041005F00430044002D0052004F004D005F0058004D002D00310039003000320042005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0031004100310035005F005F005F005F002300350026003300350063003600630061003100310026003000260030002E0030002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00

Disk Serial Number: 5DEC5DEC
Output: Disk Serial Number Extracted Successfully 

Executing: [reg, unload, HKLM\NEWSYSTEM]
External Proc Output: Der Vorgang wurde erfolgreich ausgeführt.

Output: System Hive Unloaded Successfully 

Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, k:, /d]
External Proc Output: 
Output: Snapshot Unmounted Successfully 

Drive Serial Number: [93, 236, 93, 236]
MBR File: Dell_Latitude_CPi_hda1.001.mbr opened r/w
Output: Custom MBR For Partition Generated Successfully

Output: The VMWare configuration files have been generated in your chosen output directory

User Closed Program Window
Stopped running processes
Executing: [C:\Programme\VMware\VMware DiskMount Utility\vmware-mount.exe, k:, /f]
External Proc Output: The volume was not mounted by VMware-mount.  It may be a network driver or
it may have been mounted using another utility. It cannot be dismounted.

Executing: [reg, unload, HKLM\NEWSYSTEM]
External Proc Output: 
Error: Error:  Falscher Parameter.

Executing: [reg, unload, HKLM\NEWSOFTWARE]
External Proc Output: 
Error: Error:  Falscher Parameter.

Cleaned Up
Live_View/Output/hacking_case_dd_hda1.log (last edited 2009-06-08 10:19:16 by localhost)