Recent Activity on mounted image

**e.eis** · 09-30-2011, 10:49 PM

The Recent Activity works perfectly on real drive (C:\ with Operating System)... but works partially on its imaged and then mounted (with osfmount) drive image.

**David (PassMark)** · 10-01-2011, 05:44 AM

What details are you missing when using the image?

**e.eis** · 10-01-2011, 09:39 AM

The missing details are: all but cookies

No event, no browsing history, no connected usb devices, no MRU list etc...

Only cookies are showed

**David (PassMark)** · 10-01-2011, 09:15 PM

Well that's not normal.

Can you try again in debug mode and send us the log file.

**e.eis** · 10-06-2011, 11:39 PM

Hi, i've sent you the log file yesterday... bye!

**Tim (PassMark)** · 10-10-2011, 04:02 AM

If the disk image is from an different version of Windows (eg in this case it was a disk image of a Server2003 system being mounted and scanned from a Windows7 system) and it is mounted as read-only then the registry files may fail to load during the recent activity scan. Several temporary files need to be created due to the registry differences and the read-only setting was preventing this from happening.

For the next release of OSForensics we're going to look at automatically copying the files to the OSForensics temporary directory if such a situation occurs. In the meantime you would need to either copy the registry files
onto a temporary USB drive (as suggested here http://www.osforensics.com/faqs-and-...try-files.html) or you could create a copy of your disk image and when mounting it uncheck the read-only option.

Unfortunately we found the cause of this problem just after we built the final V1.0 release. So this fix will have to go into the first patch of V1.0 (i.e. a week or two from now). In the meantime, please use one of the workarounds above.

**e.eis** · 10-10-2011, 09:53 AM

Thank you so much!

**David (PassMark)** · 10-13-2011, 01:06 AM

A patch was released today to correct this.
http://www.osforensics.com/download.html

**FQuerceto** · 11-10-2011, 11:01 AM

OSF version 1.0.1003, os WinXP 64bit Italian the problem is still there with any version of windows in the mounted image (i mean Recent activity fetch just the cookies and nothing else) ...

**Tim (PassMark)** · 11-10-2011, 09:16 PM

I've verified the original problem is fixed, however this sounds more like a localisation issue where we're not looking in the correct location for the registry files on an Italian installation.

Could you please run the recent activity function after starting OSForensics in debug mode and send us a copy of the log file.

Thread: Recent Activity on mounted image

Thread Tools

Display

Recent Activity on mounted image

Thanks

Posting Permissions