Logo Hardware.com.br
leoplac
leoplac Zerinho Registrado
3 Mensagens 0 Curtidas

Log RecEnv_RamDisk encontrado em HD que foi copiado via Kali Linux

#1 Por leoplac 16/07/2020 - 16:11
Olá, pessoal. Efetuei uma cópia forense de um HD via Kali Linux e ao abri-lo, ele não continha quase nada, somente dentro da pasta Windows outra pasta chamada Log e dentro dela uma pasta chamada RecEnv_RamDisk que continha 4 arquivos (diagerr.xml, diagwn.xml, setupact.xml, setuperr.xml).

Ao abrir o arquivo setupact.xml, ele continha a seguinte informação:
2020-05-27 17:02:40, Info Starting enumeration of PnP devices.
2020-05-27 17:02:41, Info Finished enumeration of PnP devices.
2020-05-27 17:02:41, Error Failed to check OS architecture. 0x00000490[gle=0x00000002]
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReIsWimBootEnabled
2020-05-27 17:02:41, Info [recenv.exe] Parameters: pszWinDir: E:\Windows
2020-05-27 17:02:41, Error [recenv.exe] winreArePathsEqualFailed to get attributes for E:\Windows: 0x2
2020-05-27 17:02:41, Warning [recenv.exe] Failed to check whether X:\windows is the current Windows directory
2020-05-27 17:02:41, Info [recenv.exe] RegLoadKey $OFFLINE$SYSTEM failed. Error: 0x3.
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReIsWimBootEnabled returns 0 with last error: 0x0
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReGetConfig
2020-05-27 17:02:41, Info [recenv.exe] Parameters: configWinDir: NULL
2020-05-27 17:02:41, Info [recenv.exe] WinRE config file path: E:\Windows\system32\Recovery\ReAgent.xml
2020-05-27 17:02:41, Warning [recenv.exe] read xml file (E:\Windows\system32\Recovery\ReAgent.xml) failed: 0x3
2020-0-27 17:02:41, Warning [recenv.exe] ReAgentXMLParser: parseConfigFile failed to read config xml file (0x3) in file base\diagnosis\srt\reagent2\reinfo\parser_2.0.cpp line 784
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentXMLParser: parseConfigFile (xml file: E:\Windows\system32\Recovery\ReAgent.xml) returning 0x3
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentConfig: parseConfigFile returned with 0x3
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentConfig::Init failed to init reagent xml parser (0x3) in file base\diagnosis\srt\reagent2\reinfo\parser_2.0.cpp line 1921
2020-05-27 17:02:41, Warning [recenv.exe] WinReGetConfigInternal failed to init agent config (0x3) in file base\diagnosis\srt\reagent2\reinfo\shared.cpp line 162
2020-05-27 17:02:41, Warning [recenv.exe] winre get config failed with error code 0x3
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReGetConfig return value: 0, last error: 0x3
2020-05-27 17:02:41, Error WinReGetConfigEx failed. Error: 0x00000003[gle=0x00000003]
2020-05-27 17:02:41, Error CRecoveryToolAction->Init() failed. Error: 0x00000003[gle=0x00000003]
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReGetConfig
2020-05-27 17:02:41, Info [recenv.exe] Parameters: configWinDir: NULL
2020-05-27 17:02:41, Info [recenv.exe] WinRE config file path: E:\Windows\system32\Recovery\ReAgent.xml
2020-05-27 17:02:41, Warning [recenv.exe] read xml file (E:\Windows\system32\Recovery\ReAgent.xml) failed: 0x3
2020-0-27 17:02:41, Warning [recenv.exe] ReAgentXMLParser: parseConfigFile failed to read config xml file (0x3) in file base\diagnosis\srt\reagent2\reinfo\parser_2.0.cpp line 784
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentXMLParser: parseConfigFile (xml file: E:\Windows\system32\Recovery\ReAgent.xml) returning 0x3
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentConfig: parseConfigFile returned with 0x3
2020-05-27 17:02:41, Warning [recenv.exe] ReAgentConfig::Init failed to init reagent xml parser (0x3) in file base\diagnosis\srt\reagent2\reinfo\parser_2.0.cpp line 1921
2020-05-27 17:02:41, Warning [recenv.exe] WinReGetConfigInternal failed to init agent config (0x3) in file base\diagnosis\srt\reagent2\reinfo\shared.cpp line 162
2020-05-27 17:02:41, Warning [recenv.exe] winre get config failed with error code 0x3
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReGetConfig return value: 0, last error: 0x3
2020-05-27 17:02:41, Error WinReGetConfigEx failed. Error: 0x00000003[gle=0x00000003]
2020-05-27 17:02:41, Error CRecoveryToolAction->Init() failed. Error: 0x00000003[gle=0x00000003]
2020-05-27 17:02:41, Info Invalid launch type for OEM-Front-End, 0x4
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReGetConfig
2020-05-27 17:02:41, Info [recenv.exe] Parameters: configWinDir: NULL
2020-05-27 17:02:41, Info [recenv.exe] Using recovery file at \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] WinRE config file path: \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] Update enhanced config info is enabled.
2020-05-27 17:02:41, Info [recenv.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo (In WinPE) Using winre guid from the config file
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed at: \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\WindowsRE
2020-05-27 17:02:41, Info [recenv.exe] System is WimBoot: FALSE
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReGetConfig return value: 1, last error: 0x0
2020-05-27 17:02:41, Info Auto launch narrator not specified
2020-05-27 17:02:41, Info Custom boot app not specified
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReGetConfi
2020-05-27 17:02:41, Info [recenv.exe] Parameters: configWinDir: NULL
2020-05-27 17:02:41, Info [recenv.exe] Using recovery file at \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] WinRE config file path: \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] Update enhanced config info is enabled.
2020-05-27 17:02:41, Info [recenv.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo (In WinPE) Using winre guid from the config file
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed at: \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\WindowsRE
2020-05-27 17:02:41, Info [recenv.exe] System is WimBoot: FALSE
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReGetConfig return value: 1, last error: 0x0
2020-05-27 17:02:41, Info OS volume was not locked or couldn't be processed. Defer unlocking remaining volumes. 0x00000000
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReCreateLogInstanceEx
2020-05-27 17:02:41, Info [recenv.exe] Using recovery file at \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] Update enhanced config info is enabled.
2020-05-27 17:02:41, Info [recenv.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo (In WinPE) Using winre guid from the config file
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReCreateLogInstanceEx returns error code 0x0
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReGetConfig
2020-05-27 17:02:41, Info [recenv.exe] Parameters: configWinDir: NULL
2020-05-27 17:02:41, Info [recenv.exe] Using recovery file at \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] WinRE config file path: \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] Update enhanced config info is enabled.
2020-05-27 17:02:41, Info [recenv.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo (In WinPE) Using winre guid from the config file
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed at: \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\WindowsRE
2020-05-27 17:02:41, Info [recenv.exe] System is WimBoot: FALSE
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReGetConfig return value: 1, last error: 0x0
2020-05-27 17:02:41, Info Offline scanning application not configured
2020-05-27 17:02:41, Error Invalid path specified
2020-05-27 17:02:41, Info Copying logs from [X:\windows\Logs\RecEnv] to [E:\Windows\Logs\RecEnv_Ramdisk]
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReRestoreLogFiles
2020-05-27 17:02:41, Info [recenv.exe] Using recovery file at \\?\GLOBALROOT\Device\HarddiskVolume1\RECOVERY\WINDOWSRE\ReAgent.xml
2020-05-27 17:02:41, Info [recenv.exe] Update enhanced config info is enabled.
2020-05-27 17:02:41, Info [recenv.exe] ReAgentConfig::ReadBcdAndUpdateEnhancedConfigInfo (In WinPE) Using winre guid from the config file
2020-05-27 17:02:41, Info [recenv.exe] WinRE is installed
2020-05-27 17:02:41, Info [recenv.exe] Enter WinReSetTriggerFile
2020-05-27 17:02:41, Info [recenv.exe] Parameters: DirName: \\?\GLOBALROOT\device\harddisk0\partition1\Recovery\Logs, fDelete: 0
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReSetTriggerFile return error code: 0x0
2020-05-27 17:02:41, Info [recenv.exe] Exit WinReRestoreLogFiles returns 1 with last error: 0x0
2020-05-27 17:02:51, Info Copying logs from [X:\windows\Logs\RecEnv] to [E:\Windows\Logs\RecEnv_Ramdisk]


Saberiam me dizer se esse HD sofreu Wipe ou isso foi causado de forma proposital para não ter acesso aos dados?
TRONNER
TRONNER Cyber Highlander Registrado
32.2K Mensagens 7.3K Curtidas
#4 Por TRONNER
16/07/2020 - 16:46
Pouco provável pois o processo costuma preencher os setores com caracteres desconexos e outros elementos, acredito que apenas ferramentas pagas ou mais profissionais consigam se aprofundar na análise.
cool.png**Quando pensar ser um Golias, cuidado para não encontrar algum Davi**
veja.png Conheça os Poderosos e Gratuitos [ Iperius Backup ] e [ Iperius Remote ]
veja.png Todo dia um software novo e grátis [ clicando aqui ]
boa.gif Faça valer a sua voz com o Mudamos+ { https://www.mudamos.org }
© 1999-2024 Hardware.com.br. Todos os direitos reservados.
Imagem do Modal