X-Ways Capture 實際使用測試

拿到了X-Ways Capture的最新版本。測試了一下。大家可以看看測試結果。



測試一:

正常的Windows環境,未安裝Pgp Desktop,按照Caputure的ini默認配置進行了獲取。

測試二:

同一Windows環境,安裝Pgp Desktop 9.9,啟動EFS加密,按照Caputure的ini默認配置進行了獲取。



步驟及圖片:



X-Ways Capture 包含的原始文件及目錄:



Windows目錄下包含一下四個文件。其中Caputre.ini為配置文件,可以自行修改、自定義。



1、啟動X-Ways Capture
輸入獲取路徑,本例中選擇F:\caputer目錄。Caputrei在整個過程中將根據自定義配置文件自動操作。本測試在c盤桌面運行caputre.exe。實際使用過程中,由於不應將程序複製到嫌疑硬盤中,所以應選擇移動存儲介質。










安裝下載並PDG Desktop 9.9。



創建一個500兆的虛擬磁盤。保存於e盤,虛擬磁盤盤符為G:

在新建的邏輯磁盤G中複製了創建了一份txt文件,並複製一份pdf文件。
獲取過程中,系統檢測到PGP存在,開始邏輯獲取G盤文件,並物理獲取鏡像。




獲取結束後,查看G盤Caputre2目錄下,X-Ways Caputre邏輯方式複製了磁盤中的文件,並創建了磁盤鏡像。





由於在C盤運行的capture,因此未能發現c盤的EFS加密文件。







Capture運行日誌:(複製下來,大家可以看看完整過程。)



X-Ways Capture 1.2 Copyright X-Ways Software Technology AG 2005-2008



Capture was started on 23/03/2009 at 10:44:13 from C:\Documents and Settings\Administrator\桌面\xwcapture\Windows.

Host OS is Windows 5.1.2600 (NT).

Using configuration file capture.ini.



This version is licensed to Sprite Guo.

Result: Capture runs on the computer named B.



Hint: Starting program module: AppendIni (下面為ini配置文件中的設定。)

[user]

name=Sprite Guo

date=16

key=



[steps]

AppendIni

#GetUserDate

#GetUserTime

#Ask "Please enter a comment"

#Ask Please enter a comment

#Ask Please enter three characters: ???

DumpPhysicalMemory

DumpProcessMemory

DumpProcessList

DumpDriverList

ATACheck

HPACheck

ListMountedVolumes

EncryptionCheckProcessList

+CheckDriverListForEncryption

+EncryptionCheckProcessMemory

+EncryptionCheckDiskSectors

#EncryptionCheckAllFiles is redundant if LogicalBackup is not excluded

#EncryptionCheckAllFiles -network

+CheckForBitLockerVolumes

LogicalImaging

PhysicalImaging

LogicalBackup -network



[settings]

language=English

#language=German

PromptForOutputPath

#UserShouldAcknowledge

DateFormat=dd/mm/yyyy

#DateFormat=dd.mm.yyyy

LogInfoMsgs

LogHints

LogWarnings

LogErrors

LogResults

PrintInfoMsgs

PrintHints

PrintWarnings

PrintErrors

PrintResults

ImageSegmentSize=2000

#PhysicalImageFormat=raw

#PhysicalImageFormat=e01-compressed

PhysicalImageFormat=e01-uncompressed

PhysicalImageCalcHash=md5

#PhysicalImageCalcHash=sha-1

#PhysicalImageCalcHash=sha-256

#PhysicalImageCalcHash=none



[ExcludeDevicesFromPhysicalImaging]

#Examples:

#Maxtor 6Y080L0

#WDC WD2000JB-00GVA0



[ExcludeFromLogicalBackup]

#Examples:

E:\

F:\



[SearchProcessMemoryForEncryption]

#Examples:

#Internal name of PGPserv.exe (PGP Desktop 9):

PGPsdkService

#Internal name of Bcresident.exe (BestCrypt v7)

BCResident

#Steganos Security Suite 2006

PortableSafe@Steganos



[SearchProcessListForEncryption] 目前支持的加密檢測

#Examples:

#PGP Desktop 9:

PGPserv.exe

PGPtray.exe

#BestCrypt v7:

Bcresident.exe

#DriveCrypt:

DriveCrypt.exe

#Steganos Security Suite 2006

sss2006.exe

#TrueCrypt, usually just the driver, sometimes just the process

TrueCrypt.exe

#SafeGuard Easy

sgectl.exe



[SearchDriverListForEncryption]

truecrypt



上面為ini配置,下面為獲取記錄。



Hint: Starting program module: DumpPhysicalMemory 獲取物理內存

Hint: Main memory is 253 MB (266326016 bytes)

Warning: Could not read 1.49 MB of physical memory (0x1332000-0x14b0fff).

Result: Main memory imaging completed with one unreadable range.



Hint: Starting program module: DumpProcessMemory 獲取進程內存

Info: Dumping memory of process System (812 KB)

Info: Dumping memory of process smss.exe (968 KB)

Info: Dumping memory of process csrss.exe (52.1 MB)

Info: Dumping memory of process winlogon.exe (44.0 MB)

Info: Dumping memory of process services.exe (12.1 MB)

Info: Dumping memory of process lsass.exe (32.4 MB)

Info: Dumping memory of process svchost.exe (35.1 MB)

Info: Dumping memory of process svchost.exe (33.9 MB)

Info: Dumping memory of process svchost.exe (42.1 MB)

Info: Dumping memory of process KVSrvXP.exe (100 MB)

Info: Dumping memory of process svchost.exe (23.8 MB)

Info: Dumping memory of process svchost.exe (36.0 MB)

Info: Dumping memory of process Explorer.EXE (141 MB)

Info: Dumping memory of process spoolsv.exe (34.4 MB)

Info: Dumping memory of process hkcmd.exe (23.3 MB)

Info: Dumping memory of process KVMonXP.kxp (78.0 MB)

Info: Dumping memory of process hqtray.exe (41.0 MB)

Info: Dumping memory of process peer.exe (32.0 MB)

Info: Dumping memory of process ctfmon.exe (23.6 MB)

Info: Dumping memory of process Thunder5.exe (117 MB)

Info: Dumping memory of process PGPtray.exe (61.5 MB)

Info: Dumping memory of process SnagIt32.exe (187 MB)

Info: Dumping memory of process ImationFlashDetect.exe (24.5 MB)

Info: Dumping memory of process PGPserv.exe (29.4 MB)

Info: Dumping memory of process SeaPort.exe (37.1 MB)

Info: Dumping memory of process vmount2.exe (32.5 MB)

Info: Dumping memory of process TSCHelp.exe (21.7 MB)

Info: Dumping memory of process vmnat.exe (8.78 MB)

Info: Dumping memory of process vmnetdhcp.exe (8.52 MB)

Info: Dumping memory of process vmware-authd.exe (51.2 MB)

Info: Dumping memory of process alg.exe (29.9 MB)

Info: Dumping memory of process svchost.exe (29.3 MB)

Info: Dumping memory of process PGPfsd.exe (35.0 MB)

Info: Dumping memory of process conime.exe (23.9 MB)



Hint: Starting program module: DumpProcessList 獲取進程列表

Info: Process list:

Info: System

Info: smss.exe

Info: csrss.exe

Info: winlogon.exe

Info: services.exe

Info: lsass.exe

Info: svchost.exe

Info: svchost.exe

Info: svchost.exe

Info: KVSrvXP.exe

Info: svchost.exe

Info: svchost.exe

Info: Explorer.EXE

Info: spoolsv.exe

Info: hkcmd.exe

Info: KVMonXP.kxp

Info: hqtray.exe

Info: peer.exe

Info: ctfmon.exe

Info: Thunder5.exe

Info: PGPtray.exe

Info: SnagIt32.exe

Info: ImationFlashDetect.exe

Info: PGPserv.exe

Info: SeaPort.exe

Info: vmount2.exe

Info: TSCHelp.exe

Info: vmnat.exe

Info: vmnetdhcp.exe

Info: vmware-authd.exe

Info: alg.exe

Info: svchost.exe

Info: PGPfsd.exe

Info: conime.exe

Info: firefox.exe



Hint: Starting program module: DumpDriverList獲取驅動列表

Result: Abiosdsk: Device driver, stopped

Result: abp480n5: Device driver, stopped

Result: ACPI (Microsoft ACPI Driver): Device driver, stopped

Result: ACPIEC: Device driver, stopped

Result: adpu160m: Device driver, stopped

Result: aeaudio: Device driver, stopped

Result: aec (Microsoft Kernel Acoustic Echo Canceller): Device driver, stopped

Result: AFD: Device driver, stopped

Result: Aha154x: Device driver, stopped

Result: aic78u2: Device driver, stopped

Result: aic78xx: Device driver, stopped

Result: akshasp (Aladdin HASP Key): Device driver, stopped

Result: aksusb (Aladdin USB Key): Device driver, stopped

Result: Alerter: Service sharing a process with other services, stopped

Result: ALG (Application Layer Gateway Service): Service running in its own process, stopped

Result: AliIde: Device driver, stopped

Result: amsint: Device driver, stopped

Result: AppMgmt (Application Management): Service sharing a process with other services, stopped

Result: asc: Device driver, stopped

Result: asc3350p: Device driver, stopped

Result: asc3550: Device driver, stopped

Result: aspnet_state (ASP.NET State Service): Service running in its own process, stopped

Result: AsyncMac (RAS Asynchronous Media Driver): Device driver, stopped

Result: atapi (標準 IDE/ESDI 硬盤控制器): Device driver, stopped

Result: Atdisk: Device driver, stopped

Result: Atmarpc (ATM ARP Client Protocol): Device driver, stopped

Result: AudioSrv (Windows Audio): Service sharing a process with other services, stopped

Result: audstub (音頻存根驅動程序): Device driver, stopped

Result: BdGuard: File system driver, stopped

Result: Beep: Device driver, stopped

Result: BITS (Background Intelligent Transfer Service): Service sharing a process with other services, stopped

Result: Browser (Computer Browser): Service sharing a process with other services, stopped

Result: BsDeamon: Device driver, stopped

Result: cbidf2k: Device driver, stopped

Result: cd20xrnt: Device driver, stopped

Result: Cdaudio: Device driver, stopped

Result: Cdfs: File system driver, stopped

Result: Cdrom (CD-ROM Driver): Device driver, stopped

Result: cercsr6: Device driver, stopped

Result: Changer: Device driver, stopped

Result: CiSvc (Indexing Service): , stopped

Result: ClipSrv (ClipBook): Service running in its own process, stopped

Result: clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86): Service running in its own process, stopped

Result: CmdIde: Device driver, stopped

Result: COMSysApp (COM+ System Application): Service running in its own process, stopped

Result: Cpqarray: Device driver, stopped

Result: CryptSvc (Cryptographic Services): Service sharing a process with other services, stopped

Result: dac960nt: Device driver, stopped

Result: DcomLaunch (DCOM 服務器進程啟動器): Service sharing a process with other services, stopped

Result: Dhcp (DHCP Client): Service sharing a process with other services, stopped

Result: Disk (磁盤驅動器): Device driver, stopped

Result: dmadmin (Logical Disk Manager Administrative Service): Service sharing a process with other services, stopped

Result: dmboot: Device driver, stopped

Result: dmio (Logical Disk Manager Driver): Device driver, stopped

Result: dmload: Device driver, stopped

Result: dmserver (Logical Disk Manager): Service sharing a process with other services, stopped

Result: DMusic (Microsoft Kernel DLS Syntheiszer): Device driver, stopped

Result: Dnscache (DNS Client): Service sharing a process with other services, stopped

Result: Dot3svc (Wired AutoConfig): Service sharing a process with other services, stopped

Result: dpti2o: Device driver, stopped

Result: drmkaud (Microsoft Kernel DRM Audio Descrambler): Device driver, stopped

Result: E1000 (Intel(R) PRO/1000 Adapter Driver): Device driver, stopped

Result: EapHost (Extensible Authentication Protocol Service): Service sharing a process with other services, stopped

Result: ERSvc (Error Reporting Service): Service sharing a process with other services, stopped

Result: Eventlog (Event Log): Service sharing a process with other services, stopped

Result: EventSystem (COM+ Event System): Service sharing a process with other services, stopped

Result: Fastfat: File system driver, stopped

Result: FastUserSwitchingCompatibility (Fast User Switching Compatibility): Service sharing a process with other services, stopped

Result: Fdc (Floppy Disk Controller Driver): Device driver, stopped

Result: Fips: Device driver, stopped

Result: Flpydisk (軟盤驅動程序): Device driver, stopped

Result: FltMgr: File system driver, stopped

Result: FsVga: Device driver, stopped

Result: Ftdisk (Volume Manager Driver): Device driver, stopped

Result: GetDataMip: Device driver, stopped

Result: Gpc (Generic Packet Classifier): Device driver, stopped

Result: Hardlock: Device driver, stopped

Result: Haspnt: Device driver, stopped

Result: hcmon (VMware hcmon): Device driver, stopped

Result: HdFw_slot: Device driver, stopped

Result: HDPT (HDPT Miniport): Device driver, stopped

Result: helpsvc (Help and Support): Service sharing a process with other services, stopped

Result: HidServ (Human Interface Device Access): Service sharing a process with other services, stopped

Result: HidUsb (Microsoft HID Class Driver): Device driver, stopped

Result: hkmsvc (Health Key and Certificate Management Service): Service sharing a process with other services, stopped

Result: hpn: Device driver, stopped

Result: HTTP: Device driver, stopped

Result: HTTPFilter (HTTP SSL): Service sharing a process with other services, stopped

Result: i2omgmt: Device driver, stopped

Result: i2omp: Device driver, stopped

Result: i8042prt (i8042 鍵盤及 PS/2 鼠標端口驅動程序): Device driver, stopped

Result: ialm: Device driver, stopped

Result: Imapi (CD 燒製篩選驅動器): Device driver, stopped

Result: ImapiService (IMAPI CD-Burning COM Service): Service running in its own process, stopped

Result: ini910u: Device driver, stopped

Result: IntelIde: Device driver, stopped

Result: intelppm (Intel Processor Driver): Device driver, stopped

Result: ioperm (ioperm support for Cygwin driver): Device driver, stopped

Result: Ip6Fw (IPv6 Windows Firewall Driver): Device driver, stopped

Result: IpFilterDriver (IP Traffic Filter Driver): Device driver, stopped

Result: IpInIp (IP in IP Tunnel Driver): Device driver, stopped

Result: IpNat (IP Network Address Translator): Device driver, stopped

Result: IPSec (IPSEC driver): Device driver, stopped

Result: IRENUM (IR Enumerator Service): Device driver, stopped

Result: isapnp (PnP ISA/EISA Bus Driver): Device driver, stopped

Result: JmArpHook: Device driver, stopped

Result: JmFwDDos: Device driver, stopped

Result: Kbdclass (Keyboard Class Driver): Device driver, stopped

Result: kmixer (Microsoft Kernel Wave Audio Mixer): Device driver, stopped

Result: KRegEx: Device driver, stopped

Result: KSecDD: Device driver, stopped

Result: KSysCall (Jiangmin Antivirus Software - SysCall Services): Device driver, stopped

Result: KSysMon (Jiangmin Antivirus Software - System Monitor): Device driver, stopped

Result: KSysTrace (Jiangmin Antivirus Software - File Tracer): Device driver, stopped

Result: KVFileGuard (KVFileGuard From Jiangmin): File system driver, stopped

Result: KVREDIR: Device driver, stopped

Result: lanmanserver (Server): Service sharing a process with other services, stopped

Result: lanmanworkstation (Workstation): Service sharing a process with other services, stopped

Result: lbrtfdc: Device driver, stopped

Result: LmHosts (TCP/IP NetBIOS Helper): Service sharing a process with other services, stopped

Result: Messenger: Service sharing a process with other services, stopped

Result: mnmdd: Device driver, stopped

Result: mnmsrvc (NetMeeting Remote Desktop Sharing): , stopped

Result: Modem: Device driver, stopped

Result: Mouclass (Mouse Class Driver): Device driver, stopped

Result: mouhid (Mouse HID Driver): Device driver, stopped

Result: MountMgr (Mount Point 管理程序): Device driver, stopped

Result: mraid35x: Device driver, stopped

Result: MRxDAV (WebDav Client Redirector): File system driver, stopped

Result: MRxSmb: File system driver, stopped

Result: MSDTC (Distributed Transaction Coordinator): Service running in its own process, stopped

Result: Msfs: File system driver, stopped

Result: MSIServer (Windows Installer): Service sharing a process with other services, stopped

Result: MSKSSRV (Microsoft Streaming Service Proxy): Device driver, stopped

Result: MSPCLOCK (Microsoft Streaming Clock Proxy): Device driver, stopped

Result: MSPQM (Microsoft Streaming Quality Manager Proxy): Device driver, stopped

Result: mssmbios (Microsoft System Management BIOS Driver): Device driver, stopped

Result: Mup: File system driver, stopped

Result: napagent (Network Access Protection Agent): Service sharing a process with other services, stopped

Result: NDIS (NDIS System Driver): Device driver, stopped

Result: NdisTapi (Remote Access NDIS TAPI Driver): Device driver, stopped

Result: Ndisuio (NDIS 用戶模式 I/O 協議): Device driver, stopped

Result: NdisWan (Remote Access NDIS WAN Driver): Device driver, stopped

Result: NDProxy (NDIS Proxy): Device driver, stopped

Result: NetBIOS (NetBIOS Interface): File system driver, stopped

Result: NetBT (NetBios over Tcpip): Device driver, stopped

Result: NetDDE (Network DDE): Service sharing a process with other services, stopped

Result: NetDDEdsdm (Network DDE DSDM): Service sharing a process with other services, stopped

Result: Netlogon (Net Logon): Service sharing a process with other services, stopped

Result: Netman (Network Connections): , stopped

Result: Nla (Network Location Awareness (NLA)): Service sharing a process with other services, stopped

Result: Npfs: File system driver, stopped

Result: Ntfs: File system driver, stopped

Result: NtLmSsp (NT LM Security Support Provider): Service sharing a process with other services, stopped

Result: NtmsSvc (Removable Storage): Service sharing a process with other services, stopped

Result: Null: Device driver, stopped

Result: NwlnkFlt (IPX Traffic Filter Driver): Device driver, stopped

Result: NwlnkFwd (IPX Traffic Forwarder Driver): Device driver, stopped

Result: OMCI: Device driver, stopped

Result: Parport (Parallel port driver): Device driver, stopped

Result: PartMgr (分區管理程序): Device driver, stopped

Result: ParVdm: Device driver, stopped

Result: PCI (PCI Bus Driver): Device driver, stopped

Result: PCIDump: Device driver, stopped

Result: PCIIde: Device driver, stopped

Result: Pcmcia: Device driver, stopped

Result: PDCOMP: Device driver, stopped

Result: PDFRAME: Device driver, stopped

Result: PDRELI: Device driver, stopped

Result: PDRFRAME: Device driver, stopped

Result: perc2: Device driver, stopped

Result: perc2hib: Device driver, stopped

Result: PGPdisk: Device driver, stopped

Result: pgpfs (PGP File Sharing): File system driver, stopped

Result: PGPsdkDriver: Device driver, stopped

Result: PGPserv: , stopped

Result: PGPwded (PGPwded Storage Filter Service): Device driver, stopped

Result: PlugPlay (Plug and Play): Service sharing a process with other services, stopped

Result: PolicyAgent (IPSEC Services): Service sharing a process with other services, stopped

Result: PptpMiniport (WAN Miniport (PPTP)): Device driver, stopped

Result: ProtectedStorage (Protected Storage): , stopped

Result: PSched (QoS Packet Scheduler): Device driver, stopped

Result: Ptilink (Direct Parallel Link Driver): Device driver, stopped

Result: ql1080: Device driver, stopped

Result: Ql10wnt: Device driver, stopped

Result: ql12160: Device driver, stopped

Result: ql1240: Device driver, stopped

Result: ql1280: Device driver, stopped

Result: RasAcd (Remote Access Auto Connection Driver): Device driver, stopped

Result: RasAuto (Remote Access Auto Connection Manager): Service sharing a process with other services, stopped

Result: Rasl2tp (WAN Miniport (L2TP)): Device driver, stopped

Result: RasMan (Remote Access Connection Manager): Service sharing a process with other services, stopped

Result: RasPppoe (遠程訪問 PPPOE 驅動程序): Device driver, stopped

Result: Raspti (Direct Parallel): Device driver, stopped

Result: Rdbss: File system driver, stopped

Result: RDPCDD: Device driver, stopped

Result: rdpdr (Terminal Server Device Redirector Driver): Device driver, stopped

Result: RDPWD: Device driver, stopped

Result: RDSessMgr (Remote Desktop Help Session Manager): Service running in its own process, stopped

Result: redbook (Digital CD Audio Playback Filter Driver): Device driver, stopped

Result: RemoteAccess (Routing and Remote Access): Service sharing a process with other services, stopped

Result: RemoteRegistry (Remote Registry): Service sharing a process with other services, stopped

Result: RpcLocator (Remote Procedure Call (RPC) Locator): Service running in its own process, stopped

Result: RpcSs (Remote Procedure Call (RPC)): Service sharing a process with other services, stopped

Result: RSVP (QoS RSVP): Service running in its own process, stopped

Result: SamSs (Security Accounts Manager): Service sharing a process with other services, stopped

Result: SCardSvr (Smart Card): Service sharing a process with other services, stopped

Result: Schedule (Task Scheduler): Service sharing a process with other services, stopped

Result: SeaPort: Service running in its own process, stopped

Result: Secdrv: Device driver, stopped

Result: seclogon (Secondary Logon): , stopped

Result: SENS (System Event Notification): Service sharing a process with other services, stopped

Result: serenum (Serenum Filter Driver): Device driver, stopped

Result: Serial (Serial port driver): Device driver, stopped

Result: Sfloppy: Device driver, stopped

Result: SharedAccess (Windows Firewall/Internet Connection Sharing (ICS)): Service sharing a process with other services, stopped

Result: ShellHWDetection (Shell Hardware Detection): Service sharing a process with other services, stopped

Result: Simbad: Device driver, stopped

Result: SmartMountImDisk (Smart Mount ImDisk Driver): Device driver, stopped

Result: SmartMountImDSvc (Smart Mount ImDisk Helper Service): Service running in its own process, stopped

Result: smwdm: Device driver, stopped

Result: Sparrow: Device driver, stopped

Result: splitter (Microsoft Kernel Audio Splitter): Device driver, stopped

Result: Spooler (Print Spooler): , stopped

Result: sr (System Restore Filter Driver): File system driver, stopped

Result: srservice (System Restore Service): Service sharing a process with other services, stopped

Result: Srv: File system driver, stopped

Result: SSDPSRV (SSDP Discovery Service): Service sharing a process with other services, stopped

Result: stisvc (Windows Image Acquisition (WIA)): Service sharing a process with other services, stopped

Result: swenum (Software Bus Driver): Device driver, stopped

Result: swmidi (Microsoft Kernel GS Wavetable Synthesizer): Device driver, stopped

Result: SwPrv (MS Software Shadow Copy Provider): Service running in its own process, stopped

Result: symc810: Device driver, stopped

Result: symc8xx: Device driver, stopped

Result: sym_hi: Device driver, stopped

Result: sym_u3: Device driver, stopped

Result: sysaudio (Microsoft Kernel System Audio Device): Device driver, stopped

Result: SysGuard (Jiangmin AntiVirus Software - System Guard): Device driver, stopped

Result: SysmonLog (Performance Logs and Alerts): Service running in its own process, stopped

Result: TapiSrv (Telephony): Service sharing a process with other services, stopped

Result: Tcpip (TCP/IP Protocol Driver): Device driver, stopped

Result: TDPIPE: Device driver, stopped

Result: TDTCP: Device driver, stopped

Result: TermDD (Terminal Device Driver): Device driver, stopped

Result: TermService (Terminal Services): Service sharing a process with other services, stopped

Result: Themes: Service sharing a process with other services, stopped

Result: TlntSvr (Telnet): Service running in its own process, stopped

Result: TosIde: Device driver, stopped

Result: TrkWks (Distributed Link Tracking Client): Service sharing a process with other services, stopped

Result: Udfs: File system driver, stopped

Result: ufad-ws60 (VMware Agent Service): Service running in its own process, stopped

Result: ultra: Device driver, stopped

Result: Update (Microcode Update Driver): Device driver, stopped

Result: upnphost (Universal Plug and Play Device Host): Service sharing a process with other services, stopped

Result: UPS (Uninterruptible Power Supply): Service running in its own process, stopped

Result: usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver): Device driver, stopped

Result: usbhub (USB2 Enabled Hub): Device driver, stopped

Result: usbkey (USB Dongle): Device driver, stopped

Result: USBSTOR (USB 大容量存儲設備): Device driver, stopped

Result: usbuhci (Microsoft USB Universal Host Controller Miniport Driver): Device driver, stopped

Result: VgaSave (VGA 顯示控制器。): Device driver, stopped

Result: ViaIde: Device driver, stopped

Result: VMAuthdService (VMware Authorization Service): Service running in its own process, stopped

Result: vmci (VMware vmci): Device driver, stopped

Result: vmkbd (VMware kbd): Device driver, stopped

Result: VMnetAdapter (VMware Virtual Ethernet Adapter Driver): Device driver, stopped

Result: VMnetBridge (VMware Bridge Protocol): Device driver, stopped

Result: VMnetDHCP (VMware DHCP Service): Service running in its own process, stopped

Result: VMnetuserif (VMware Network Application Interface): Device driver, stopped

Result: vmount2 (VMware Virtual Mount Manager Extended): Service running in its own process, stopped

Result: VMparport (VMware VMparport): Device driver, stopped

Result: VMware NAT Service: Service running in its own process, stopped

Result: vmx86 (VMware vmx86): Device driver, stopped

Result: VolSnap: Device driver, stopped

Result: VSS (Volume Shadow Copy): Service running in its own process, stopped

Result: vstor2 (Vstor2 Virtual Storage Driver): Device driver, stopped

Result: vstor2-ws60 (Vstor2 WS60 Virtual Storage Driver): Device driver, stopped

Result: W32Time (Windows Time): Service sharing a process with other services, stopped

Result: Wanarp (Remote Access IP ARP Driver): Device driver, stopped

Result: WDICA: Device driver, stopped

Result: wdmaud (Microsoft WINMM WDM Audio Compatibility Driver): Device driver, stopped

Result: WebClient: Service sharing a process with other services, stopped

Result: winmgmt (Windows Management Instrumentation): Service sharing a process with other services, stopped

Result: WmdmPmSN (Portable Media Serial Number Service): Service sharing a process with other services, stopped

Result: Wmi (Windows Management Instrumentation Driver Extensions): Service sharing a process with other services, stopped

Result: WmiApSrv (WMI Performance Adapter): Service running in its own process, stopped

Result: WS2IFSL (Windows 套接字 2 .0 Non-IFS 服務提供程序支持環境): Device driver, stopped

Result: wscsvc (Security Center): Service sharing a process with other services, stopped

Result: wuauserv (Automatic Updates): Service sharing a process with other services, stopped

Result: WZCSVC (Wireless Zero Configuration): Service sharing a process with other services, stopped

Result: xmlprov (Network Provisioning Service): Service sharing a process with other services, stopped

Result: {1DFCE140-4FDA-4F95-ADC8-A3ED252DCF93} (KVSrvXP-{1DFCE140-4FDA-4F95-ADC8-A3ED252DCF93}): , stopped

Result: {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver): Device driver, stopped

Result: {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver): Device driver, stopped

Result: Driver list created successfully.



Hint: Starting program module: ATACheck 檢測ata硬盤加密

Result: ATA security settings for Disk 0 (ST3802110A, 5LR6NYYZ)

Result: ATA security is disabled.

Result: Frozen: Yes



Hint: Starting program module: HPACheck 檢測HPA

Result: No HPA was found on this computer.



Hint: Starting program module: ListMountedVolumes 列出所有卷

Result: List of mounted volumes:

Result: C: resides on disk 0, start sector: 63, file system: NTFS.

Result: E: resides on disk 0, start sector: 20482938, file system: NTFS.

Result: F: resides on disk 0, start sector: 61448625, file system: NTFS.

Result: G: uses file system: FAT32

Result: List of known disks:

Result: Disk 0 is a ST3802110A, serial no.: (unknown), capacity: 74.5 GB, bus: ATA.



Hint: Starting program module: EncryptionCheckProcessList 加密進程檢測

Result: Found the following suspicious processes: PGPtray.exe, PGPserv.exe



Hint: Forcing CheckDriverListForEncryption 加密驅動檢測

Result: No drivers for encryption found.



Hint: Forcing EncryptionCheckProcessMemory 檢測加密進程關鍵詞

Result: Found search string "PGPsdkService" in process PGPserv.exe. 找到PGP

Result: One suspicious string was found once in one process.



Hint: Forcing EncryptionCheckDiskSectors 檢測加密磁盤

Result: No encrypted disks were found.



Hint: Forcing CheckForBitLockerVolumes 檢測bitlocker


Result: Found no volume that is encrypted with BitLocker.



Hint: Starting program module: LogicalImaging 邏輯分區複製


Result: Cannot determine disk containing volume G:, imaging it...

Hint: Writing image segment 1 to F:\CAPTURE3\2009-03-23, 10-44-02-Logical Imaging\DriveG.e01. 製作鏡像文件

Result: Final hash value of the image (format MD5): 448c7f1fb21c6ec6de0d312854b792dc 創建MD5值

Result: Writing hash of image to the Encase file.

Result: Image created successfully.

Result: No encrypted volumes found in this step.



Hint: Starting program module: PhysicalImaging 物理鏡像

Hint: Disk 0 is excluded from imaging, because it contains the output drive. 因為證據文件保存於本機F盤,所以不能進行完整硬盤鏡像。



Hint: Starting program module: LogicalBackup 邏輯複製EFS文件

Hint: Copying files logically will alter NTFS last FILE record modification timestamps. 查找複製EFS文件。

Hint: Starting logical copying of all accessible files.

Hint: Excluding Capture start drive C:. 沒有包含c盤EFS文件查找和複製。

Hint: Copying files from D: ...

Hint: Excluding drive E: because it is listed in the exclusion list.

Hint: F: is excluded from copying, because it contains the output path.

Hint: Copying files from G: ...

Result: Found 0 EFS-encrypted files total. 2 files were copied successfully.

Hint: Program execution completed cleanly.

Hint: Program completed on 23/03/2009, 11:00:00.



HTML clipboard

文章轉自計算機取證技術

0 意見: