Jan-18-2019, 03:01 PM
I am trying to create a disk image analyzer one of the things i want to do is be able to print the product image name however i seem to have come across a road block i keep getting the following error below
i cant seem to figure out the issue
i cant seem to figure out the issue
Exception has occurred: exceptions.IOError FS_Info_Con: (tsk3.c:207) Unable to open the image as a filesystem: Cannot determine file system type File "/home/apdf/Myfiles/PytskRegistryEx1].py", line 44, in <module>
# 1. Add pytsk3 import pytsk3 # 2. Add Python Registry from Registry import Registry # 3. Add pyewf import pyewf # Define the helper class based on pytsk3 Img_Info class class e01_file_helper(pytsk3.Img_Info): # Define a constructor to setup the object # It expects a pyewf.handle object def __init__(self, ewf_handle): self._ewf_handle = ewf_handle super(e01_file_helper, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL) # This method overrides Img_info close to close the handle object def close(self): self._ewf_handle.close() # This method overrides the Img_Info read method to read data # from the handle object rather than image file directly def read(self, offset, size): self._ewf_handle.seek(offset) return self._ewf_handle.read(size) # This method overrides the Img_Info get_size method to # get the size of the image from the handle object def get_size(self): return self._ewf_handle.get_media_size() # 4. Create a glob object to read ExampleImageForPyewf.E01 which is an image of DiskImage.RAW #e01_glob = raw_input("please enter the registry you want to process: ") e01_glob = pyewf.glob('/home/apdf/j/WindowsOS.E01') # 5. Create a handle object which will be used link the E01 file(s) to the program e01_handle = pyewf.handle() # 6. Open (link) the E01 file with the handle e01_handle.open(e01_glob) # 7. Create the helper object to readE01 file e01helper = e01_file_helper(e01_handle) # 8. Open file system. Note this example is hardwired # to open the file system at sector 63. Won't work on1 file with the handle e01_handle.open(e01_glo # other evidence files file_system = pytsk3.FS_Info(e01helper, 63 * 512) # 9. Open the SOFTWARE registry file directly # This should be okay for other Windows as Registry files are # in the same location for Windows XP, Vista, 7, 8 and 10 software_file = file_system.open('/WINDOWS/system32/config/software') # 10. Read the contents of the SOFTWARE file into memory from evidence file # a bit dangerous as SOFTWARE file can be quite large. Works for the example # you will get. Better approach is to read and write blocks of data from # Registry file like the way hash values were calculated in previous example software_file_contents = software_file.read_random(0, software_file.info.meta.size) # 11. Open a file in the local PC called SOFTWARE to store bytes read above # write as binary f = open('software','wb') # 12. Write the SOFTWARE file to local file f.write(software_file_contents) # 13. Close the file before opening with Python Registry f.close() # 15. Now open the file written previously with Python Registry software_reg = Registry.Registry('SOFTWARE') # 16. Get the CurrentVersion key key = software_reg.open('Microsoft\\Windows NT\\CurrentVersion') # 17. Get the value for Productname v = key['ProductName'] # 18. Display the value stored print "Product name is %s" % (v.value()) # Add source code to get more values and display for exercise # 19. Open the NTUSER.DAT file for JJungle # Note that if you programs you'll have to work out the the user directories # as they will differ from installation to installation # 20. Read the NTUSER.DAT file into memory from evidence file # 21. open a local file to store NTUSER.DAT data # 22. Write the NTUSER.DAT data to the local file # 23. Close the local file before accessing it with Registry object # 24. Open the NTUSER.DAT file as a Registry object # 25. Open the TypedURLs key # 26. Access the values in this key # 27. Display the URL value # Add more code here to get the RecentDocs key and process the values # in it to display a list of files accessed by the user for exercise # 14. Close the E01 file e01helper.close() # /home/apdf/j/WindowsOS.E01