Virtual Machine Extractor

A place to ask the community for help with using Autopsy.

Moderator: carrier

Virtual Machine Extractor

Postby heyitzmo » Mon Oct 24, 2016 9:19 pm

Hello! I am running Autopsy 4.1.1 on top of TSK 4.3.0 on a Windows 7 workstation, as local superuser. When I run a scan on my own C: drive (I'm just learning the system so I'm my first guinea pig), I get the following error: Virtual Machine Extractor: Illegal char <:> at index 50: C:\Test 1\ModuleOutput\Virtual Machine Extractor\C:_1_2016_10_24_10_50_05

I have DVI files (Oracle's VirtualBox), and no .vhk files. Autopsy chugs along nicely for a few minutes, then hangs for a bit, then terminates in the above error. I *could* skip the VM analysis module (something the error message suggests); however, that will work only to satisfy my curiosity as to what else this puppy can do. I'd like to figure out how to get the VM checks to work.

I recall having selected the 64 bit version of Autopsy, but I have a 32 bit version of TSK. My workstation is 64 bit.

Am I doing anything wrong? Are there any suggestions/workarounds for this issue?

Thank you!

Mo
heyitzmo
 
Posts: 1
Joined: Mon Oct 24, 2016 8:57 pm

Re: Virtual Machine Extractor

Postby Hoyt » Fri Oct 28, 2016 12:32 am

It looks like it's working except for not properly naming the extraction. It's not stripping the colon (":") and throwing a naming error. Where are you seeing the error message? Can you post the relevant portion of the traces log? Grab several lines before and after any critical errors you find there or just copy and paste the whole thing, whichever's easier.

As for the x32/x64 concern, don't worry. Autopsy ships with its own TSK and doesn't call your other install.
Hoyt
 
Posts: 61
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 4 guests

cron