Announcement

Collapse
No announcement yet.

Recent Activity on mounted image

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Recent Activity on mounted image

    The Recent Activity works perfectly on real drive (C:\ with Operating System)... but works partially on its imaged and then mounted (with osfmount) drive image.

  • #2
    What details are you missing when using the image?

    Comment


    • #3
      The missing details are: all but cookies

      No event, no browsing history, no connected usb devices, no MRU list etc...

      Only cookies are showed

      Comment


      • #4
        Well that's not normal.

        Can you try again in debug mode and send us the log file.

        Comment


        • #5
          Hi, i've sent you the log file yesterday... bye!
          Last edited by e.eis; Oct-07-2011, 10:30 AM.

          Comment


          • #6
            If the disk image is from an different version of Windows (eg in this case it was a disk image of a Server2003 system being mounted and scanned from a Windows7 system) and it is mounted as read-only then the registry files may fail to load during the recent activity scan. Several temporary files need to be created due to the registry differences and the read-only setting was preventing this from happening.

            For the next release of OSForensics we're going to look at automatically copying the files to the OSForensics temporary directory if such a situation occurs. In the meantime you would need to either copy the registry files
            onto a temporary USB drive (as suggested here http://www.osforensics.com/faqs-and-...try-files.html) or you could create a copy of your disk image and when mounting it uncheck the read-only option.

            Unfortunately we found the cause of this problem just after we built the final V1.0 release. So this fix will have to go into the first patch of V1.0 (i.e. a week or two from now). In the meantime, please use one of the workarounds above.

            Comment


            • #7
              Thanks

              Thank you so much!

              Comment


              • #8
                A patch was released today to correct this.
                http://www.osforensics.com/download.html

                Comment


                • #9
                  OSF version 1.0.1003, os WinXP 64bit Italian the problem is still there with any version of windows in the mounted image (i mean Recent activity fetch just the cookies and nothing else) ...

                  Comment


                  • #10
                    I've verified the original problem is fixed, however this sounds more like a localisation issue where we're not looking in the correct location for the registry files on an Italian installation.

                    Could you please run the recent activity function after starting OSForensics in debug mode and send us a copy of the log file.

                    Comment

                    Working...
                    X