Announcement

Collapse
No announcement yet.

Problem with System Password Module

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with System Password Module

    Hi.

    I am using OSForensics to get a list of Window's login passwords.

    I've mounted a .E01 drive image in O:\.
    In Passwords Module, "Windows login passwords", if i select ScanDrive O:\ and then click on "Retrieve Hashes", i receive this message:

    "Unable to load the registry SYSTEM hive: error 19"... WHY?
    I tryed the log with the DEBUG mode, but nothing about this message.


  • #2
    What version of OSF are you using?
    For the registry files on drive 0:\, which operating system did they come from?
    Which O/S is running on the host machine?
    Was the drive mounted as read only?

    There was a bug (or feature limitation) in OSF V1.0.1000 and earlier. The mounted drive needed to be readable and writable in order to mount the registry files, but this seemed to happen only if the mounted drive had an older registry (e.g. from XP) and the host was a newer O/S (e.g. Win7).

    This bug was fixed in v1.0.1001 - 13th of October 2011. So in the new release the drive could be mounted as read only.

    But a work around was to make the image writable, instead of read only.

    So maybe this is your problem?

    Comment


    • #3
      Hi
      1) I'm using latest version.
      2) The operating system in O:\ is Windows XP Pro
      3) The host machine have installed Windows Server 2008 64bit Datacenter, but this problem occurs even with Windows 7 Ultimate 64 bit.
      4) The drive is mounted read-only (obligatory for forensic examination)

      Please note that the system mounted in O:\ is with autentication on DOMAIN.
      I noticed that the directory O:\Document and settings\username is with access denied by my host Operating System.
      But with another program freeware ("FTK Imager" for E01 interpretation) i can see the content without access denied...

      I noticed now that it not has indexed the user folder
      O:\Documents and settings\username
      Last edited by e.eis; Oct-23-2011, 02:22 PM.

      Comment


      • #4
        Just as an experiment can you duplicate the drive image, then mount the duplicate as R/W and see if that fixes the problem. This should also allow file permissions to be set.

        We'll setup a similar scenario here and do some testing.

        Medium term solution (which we have already started work on) is to do direct disk access, and direct registry access, bypassing the file system and operating system.

        Comment


        • #5
          A new build of OSForensics is now available from http://www.osforensics.com/download.html that should fix this problem getting the passwords.

          We are working on a longer term solution to the file permissions issue.

          Comment


          • #6
            I'm using version 1.0.1003, my os is Winxp 64bit Italian and the problem is still present when the mounted image is from various XP sp3 Italian

            Comment


            • #7
              This sounds more like a localisation issue to do with the Italian version of windows, please see this thread.

              Comment


              • #8
                This issue with the registry should now be fixed in build V1.0 build 1004. We have more or less rewritten the code to read the registry entries from scratch.

                I say "should" because just as I write this, we have noticed a issue with the new registry code. It crashed on one of our test machines, so let me know how it goes. We might need a quick 1005 build if the problem is more widespread than 1 machine.

                Update: Turns out this crash problem was limited to Vista and wasn't related to the registry viewer. It was related to the shadow copy function. But it has been fixed in V1.0 build 1005 now.

                Comment

                Working...
                X