Download Hobocopy
Belle Roetcisoender
I have found hobocopy which works great! - but only if you list : source folder, dest folder and then file type... my script searches the C:\ drive, finds PST files and lists the full file path. Hobocopy doesn't seem to handle this.
I'm the author of hobocopy. It is written to expect source folder, destination folder, and a file selector. So you're not going to be able to use a full path. That said, you can use the flags that can be found by running "help for" at the command prompt to break apart the path you find into directory and file components. Something like %nf in your case, I believe.
There is a registry entry that controls which files the Volume Shadow Service (which hobocopy and shadowspawn use) ignores. Examples include .ost files. See -us/library/windows/desktop/aa819132(v=vs.85).aspx.
INSTALLING HOBOCOPY
Most users can simply unzip the file containing hobocopy.exe into the directory of your choice. However, HoboCopy uses the Visual C++ 8.0 runtime, which may not be present on some machines. If HoboCopy does not work for you, run the vcredist executable available from the same location you downloaded HoboCopy.
Most users can simply unzip the file containing hobocopy.exe into the directory of your choice. However, HoboCopy uses the Visual C++ 8.0 runtime, which may not be present on some machines. If HoboCopy does not work for you, run the vcredist executable available from the same location you downloaded HoboCopy.
Most users can simply unzip the file containing hobocopy.exe into the directory of your choice. However, HoboCopy uses the Visual C++ 8.0 runtime, which may not be present on some machines. If HoboCopy does not work for you, run the vcredist executable available from the same location you downloaded HoboCopy.I've used this several times now on Windows XP and Windows 2003 Server running WinCC v7.0.2.
I create a directory on the PC called Hobocopy in which I extract the right Hobocopy release.
This directory contains only 3 files: HoboCopy.exe, HoboCopy.pdb and a command file create with a Text Editor, for example "Backup.cmd".
And comment with the results? Assuming it's error 5, you're going to have to either change permissions on the file or run hobocopy as a user that has access permission. Presumably that's SYSTEM. One way to run things as system (there are several) is to use the psexec program and specify the -s option. Something like this:
The basic structure of the command looks like this: hobocopy "C:\source\directory" "C:\destination\directory"
However there are a lot of useful extra options available, as for example incremental copying, meaning it only copies the files that are new to the destination folder. A full list of options can be found here (scroll down to the USAGE section):
thanks for the reply harlan. Since speaking with you last I've found a number of tools that assist me to copy the required items.
Firstly hobocopy
-
"It uses the Volume Shadow Service (VSS) to "snapshot" the disk before copying. It then copies from the snapshot rather than the "live" disk."
Secondly the reg tool within windows to dump registry hives
- for example reg save HKLM\SAM SAM
Do you see any issues with the above for gathering copies of the hives?
I noticed that FTKImager Lite has command line options for /CreateDirListing however i haven't had any success with this. Do you know if command works only on already taken images or does it work against live systems too? If so do you have an example of the command line you'd use for a physical drive.
Thanks in advance and i hope you find some of it useful too.
This command will likely take a very long time to complete, so you might want to take a nap or something. At the end you should have a nearly perfect copy of the directory... if there are any permission errors you'll be alerted to files that didn't copy. Realistically any files in your user directory shouldn't have this problem. Using HoboCopy to Incrementally Backup a Drive Hobocopy also supports backing up files incrementally, so it will only copy the files that have changed since the last backup. This works similarly to utilities like rsync, except hobocopy stores the last backup date in a file that you need to specify on the command line.
Depending on the penetration test, this can be done repeatedly, on many servers, until you find a domain administrator's hash. It is also possible to utilize the shadow copy feature from Microsoft Systems to get the "SYSKEY" and "SAM" files. One of the possible tools that could be used for this is hobocopy.
760c119bf3