jschicht / rawcopy Goto Github PK

I'm seeing the following error when running RawCopy in Windows 7:
Error in function CreateFile: Access is denied.

I'm running the command prompt as an administrator.

When I make a link to a different directory, rawcopy does not copy the whole file.

Example:

mklink /d "c:\asset" "C:"

rawcopy /FileNamePath:c:\asset\hiberfil.sys /OutputPath:c:\temp

The actual size of hiberfil.sys is 6,662,176 KB

The size of the copied hiberfil.sys is 467,456 KB

RawCopy64.exe is detected as malware (Microsoft Windows Defender and VirusTotal) for some days.

Building it with the actual version of AutoIt3 and SciTE4Autoit3 (AutoIt3Wrapper) fixed the problem for me.

I am afraid, however, that this solution will be of a short or limited duration only!?

Firstly, thanks for this great program.
I'm currently using it to copy Outlook pst files that are locked whist they are in use.

The files are copied correctly and when I look at the file size in Windows they are the same.

However when I check the files in Cygwin using md5sum and openssl sha1 the results don't match.
Digging further using cmp I get the following message: differ: byte 1758375937, line 5547995.

So it seems the difference is small, but it's there.

Is this an issue?

Thanks

To clarify, these projects are all closed source? The code is not available? Or is the code hosted elsewhere?

I have an error during Registery Hive Command:

RawCopy64.exe /FileNamePath:C:\WINDOWS\system32\config\SYSTEM /OutputPath:D:\output

After start;
Error occur:
"Line 17247 (File "C:\RawCopy64.exe"):
Array Variable has incorrect number of subscript or subscript dimension range exceeded"

Hey Jschicht,

Awesome program overall, but I seem to be running into an issue while using Windows Management Instrumentation Command-line (WMIC).

I have RAWCOPY copied to a local adminshare on a target machine and remotely envoke the command using WMIC. The command appears to execute properly, however, the output file is 231,424KB, when the source NT_USER.dat file is only ~3MB. What's interesting is if I copy another file "NT_USER" file, the output size is the same. IE: if I copy NT_USER.INI which is only ~1KB, the output still is 231,424KB.

Any idea what might be causing the issue?

For reference the command I use is:

wmic /node:[REMOTE_IP] process call create "cmd.exe /c \[REMOTEIP][ADMINSHARE]\rawcopy.exe /filenamepath:c:[SOURCEFILEPATH]\NT_USER.DAT /outputpath:\[REMOTEIP][ADMINSHARE]"

Any help is appreciated!

Thank you.

When trying to run rawcopy64.exe on Windows 64 bit i get error :

This version Rawcopy64.exe is incompatible with version Windows

How to resolve this issue?

Thanks in advance

First of all thanks for making this great tool.

This would have been a truly amazing tool for the DFIR community if the tool supported wildcards.
For example, it would have been awesome to copy all SAM* files with just one command:
"c:\windows\system32\config\SAM*"

Does rawcopy work in Windows 10?

James

RawCopy not able to execute in Windows2000. It show "RawCopy.exe is not a valid Win32 application."

Hello,

I just tried RawCopy while looking for an alternative to Hobocopy that would work on my new Windows10 computer.

It looks like RawCopy requires opening a cmd window as Admin :

c:\Temp\Backup>RawCopy.exe /FileNamePath:c:\Documents\blah\blah.txt
RawCopy v1.0.0.19

Error in function CreateFile: Access is denied.
 for: \\.\c:
CreateFile: Access is denied.

Cheers,

To my understanding if you have read access to the file, you don't need admin privs to copy it using rawcopy even if Windows protects that file, however, each time I run rawcopy it asks for admin privs by default.

Does this support alternate data streams and skipping sparse clusters as seen in USN journals?

Thanks.

In this code, file name lookups don't use the per-volume uppercase table ($UpCase), a language-specific comparison operator (=) is used instead:

This can result in behaviour described in this post: https://dfir.ru/2021/07/15/playing-with-case-insensitive-file-names/

As you describe this software is licensed under a CC license. However CC licenses should not be used for software.
I would recommend to choose another software license for this purpose.

More information about licenses on Github: https://help.github.com/articles/open-source-licensing/

Copying ntuser.dat on windows 10 64 bit fails if file path is used, but works if index number is specified. It looks that _GetIndexNumber function returns error, but getting index number in this way works:

Get Index Number.txt

Just curious if rawcopy can copy a directory with/without recurse and not just one file. Possible feature request?

Hi to all,

When I try to call to RawCopy or RawCopy64, ever appear the UAC message limitation with indication of author not is recognized. Any solution?

Thanks in advanced,
Oscar.

Hi,
I'm trying to copy a locked file (.ost) from a remote mapped folder P: (where outlook is running) to another mapped remote folder M: (NAS). Using this command:

RawCopy64.exe /FileNamePath:P:\mypath\myfile.ost /OutputPath:M:\NASpat /OutputName:myfile.ost

Error in function CreateFile: Access is denied. for \.\P:

what i'm doing wrong?
thanks

In the current version of RawCopy (1.0.0.10), the destination path and file name are ignored. Instead, the file is copied to the RawCopy directory with the original file name. I have tried both relative and absolute file names to no avail.

Attempted command:
rawcopy-master\rawcopy.exe C:\Users\user\ntuser.dat test.dat
rawcopy-master\rawcopy.exe C:\Users\user\ntuser.dat C:\test.dat

Both results in the file being copied to rawcopy-master\ntuser.dat

Thanks!
David

Would be really useful if you could use this tool to copy out files from e01/vhd/vmdk files
Ie rawcopy -I image.vmdk
Always find it annoying when testing to load up the snapshot in xways each time to pull out the registry files I need.

If NOT StringMid($record,1,8) = '46494C45' Then

В этой строке - две грубейших ошибки. Во-первых, автор забыл "0x" перед "46494С45" (это проверка наличия строки FILE в начале записи MFT). Сама по себе работа с бинарными данными в виде шестнадцатеричного строкового представления (сравнение, обрезание и так далее) сразу бросается в глаза как порочная практика в этой программе, и стоило ожидать, что она приведёт к ошибке. И казалось бы, автор должен был это заметить, ведь теперь условие в этой строке должно было бы выполняться каждый раз (и каждый раз выходила бы ошибка), но нет: в этой же строке автор допустил вторую ошибку - неправильное представление о приоритете операторов. Оператор NOT имеет больший приоритет, чем оператор сравнения, а автор забыл (или не знал) об этом. В результате теперь всё наоборот: условие в этой строке НИКОГДА не выполняется, и данная проверка не выполняется.

Is support UNC file path, eg. \\?\Volume{GUID}

Trying to copy a file inside the 'WindowsApps' folder to outside another folder. Rawcopy request administrator rights via UAC which I accept but then rawcopy window closes itself without any message. The file is not copied.

tying to copy veracrypt container file "failure" located at the root of S: drive while it is in currently mounted so I can automate backups while in use because the file itself is quite large at 50gb and growing.

C:\Users\rk\Downloads\RawCopy_v1.0.0.7>rawcopy64 s:\failure q:\backup
RawCopy v1.0.0.6

Error: NtOpenFile returned: 0xC0000043
Opening target file failed, now re-trying with INDX method from parent folder
Error: Cannot get IndexNumber of parent folder

C:\Users\rk\Downloads\RawCopy_v1.0.0.7>rawcopy64 /FileNamePath:S:\failure /OutputPath:Q:\backup
RawCopy v1.0.0.6

Error: File probably locked

C:\Users\rk\Downloads\RawCopy_v1.0.0.7>

If you run the following command, even though the source file does not exist RawCopy just warns you and then starts copying a file anyway to the destination. Looking at what's created, it appears to be the MFT file (not confirmed). Looks like this started happening on version 1.0.0.13 (1.0.0.12 works as expected).

rawCopy64.exe /FileNamePath:"c:\abcdefg" /OutputPath:"c:\tmp\"

Warning: File not found with regular file search: c:\abcdefg
Writing: abcdefg