im trying to load a image file so that my program could outout he results of the last logon timeand date but i seem to be getting a error
The error that i seem to be getting is
The error that i seem to be getting is
Exception has occurred: exceptions.TypeError pyewf_handle_open: argument: files must be a sequence object. File "/home/apdf/Myfiles/PythonRegistrySAM.py", line 45, in <module>
# 1. Add pytsk3 import pytsk3 # 2. Add Python Registry from Registry import Registry # 3. Add pyewf import pyewf # 4. Add struct import struct # 5. Add datetime to convert Windows timestamps import datetime # 44. Add regular expressions module # Define the helper class based on pytsk3 Img_Info class class e01_file_helper(pytsk3.Img_Info): # Define a constructor to setup the object # It expects a pyewf.handle object def __init__(self, ewf_handle): self._ewf_handle = ewf_handle super(e01_file_helper, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL) # This method overrides Img_info close to close the handle object def close(self): self._ewf_handle.close() # This method overrides the Img_Info read method to read data # from the handle object rather than image file directly def read(self, offset, size): self._ewf_handle.seek(offset) return self._ewf_handle.read(size) # This method overrides the Img_Info get_size method to # get the size of the image from the handle object def get_size(self): return self._ewf_handle.get_media_size() # 6. Create a glob object to read ExampleImageForPyewf.E01 which is an image of DiskImage.RAW e01_glob = pyewf.glob e01_glob = raw_input("enter the name of the evidence file: ") e01_glob = pytsk3.Img_Info(e01_glob) # 7. Create a handle object which will be used link the E01 file(s) to the program e01_handle = pyewf.handle() # 8. Open (link) the E01 file with the handle e01_handle.open(e01_glob) # 9. Create the helper object to readE01 file e01_helper = e01_file_helper(e01_handle) # 10. Open file system. Note this example is hardwired # to open the file system at sector 63. Won't work on # other evidence files file_system = pytsk3.FS_Info(e01helper, 63 * 512) # 11. Open the SAM registry file directly # This should be okay for other Windows as Registry files are # in the same location for Windows XP, Vista, 7, 8 and 10 sam_file = file_system.open('WINDOWS/system32/config/SAM') # 12. Read the contents of the SAM file into memory from evidence file # This is not as dangerous as reading the SOFTWARE file because the SAM # file isn't as big as the SOFTWARE file. Unless the maximum number of accounts # has been created as theoretically a Windows PC can have up to 1000000000 # local accounts sam_file_contents = sam_file.read_random(0, sam_file.info.meta.size) # 13. Open a file in the local PC called SOFTWARE to store bytes read above # write as binary f = open('SAM', 'wb') # 14. Write the SAM file to local file f.write(sam_file_contents) # 15. Close the file before opening with Python Registry f.close() # 17. Now open the file written previously with Python Registry sam_reg = Registry.Registry('SAM') # 18. Get the Administrator's user key key = sam_reg.open('SAM\\Domains\\Account\\Users\\000001F4') # Process F key # 19. Get the F key data f_value = key['F'] # 20. Extract 8 bytes from offset 8. Note this is bytes 9 to 16 (inclusive) # in AccessData Registry Quick Find Chart last_logon_time_bytes = f_value.value()[8:16] # 21. Convert the bytes to a little endian large number last_logon_time_stamp = struct.unpack(',Q', last_logon_time_bytes) # 22. This constant is necessary to take into account # the difference between Windows timestamps and UNIX # timestamps. UNIX timestamps start at 1/1/1970 at midnight # However, Windows timestamps start at 1/1/1601 at midnight # The number below is the date midnight 1/1/1970 in Windows format # By substracting this value from a Windows timestamp value we get # the time from 1/1/1970 which we can convert into a datetime in Python # because Python datetime uses UNIX time. # Only need to do this once in the program START_OF_UNIX_TIME = 116444736000000000 # 23. Calculate the time in unix time last_logon_time_in_unix = last_logon_time_stamp[0] - START_OF_UNIX_TIME # 24. Need to divide the time to get seconds as UNIX time is in seconds # and Windows time is in 100 nanosecond increments last_logon_time_in_unix = last_logon_time_in_unix / 10000000 # 25. Now create datetime object from the converted time last_logon_time = datetime.datetime.utcfromtimestamp(last_logon_time_in_unix) # 26. Display the timestamp in a human readable form print "Last logon was %s " % (last_logon_time.strftime('%Y/%m/%d %H:%M:%S')) # Add code to decode the last time the password was changed and last time failed login # 27. Decode the number of logins # 28. Convert to a number # 29. Display number of logins # Process V value # 30. Get V file # 31. Get bytes where account type is stored # 32. Convert back to a number # 33. If the account type number is 0xBC then account is an admin account # 34. If the account type number is 0xD4 then account is an user account # 35. If the account type number is 0xB0 then account is guest account # 36. Get bytes where the offset to username is stored # 37. Convert back to a number # 38. Adjust offset # 39. Get bytes where length of username is stored # 40. Convert back to a number # 41. Get username from v value # 42. Convert back to ASCII # 43. Display username # 36. Get bytes where the offset to username is stored offset_to_username_bytes = v_value.value()[36:40] # 37. Convert back to a number offset_to_username = struct.unpack('<L', offset_to_username_bytes) # 38. Adjust offset offset_to_username = offset_to_username[0] + 0xCC # 39. Get bytes where length of username is stored length_of_username_bytes = v_value.value()[40:44] # 40. Convert back to a number length_of_username = struct.unpack('<L', length_of_username_bytes) # 41. Get username from v value username = v_value.value()[offset_to_username:offset_to_username+length_of_username[0]] # 42. Convert back to ASCII username = username.decode('utf-16') # 43. Display username print "The description is %s" % (username) # Add code to decode description # Process users # 45. Open the Users key # 46. Create a regular expression to match 8 character hexadecimal numbers # 47. Process the subkeys in the Users key # 48. Run the Regular expression to check the subkey's name # Convert the bytes to a little endian large number # Calculate the time in unix time # Need to check the time was a positive number because # it is possible a user account has been created but # user hasn't logged in yet. Means the value stored will be 0 # Subtract the START_OF_UNIX_TIME will result in a negative # number and crash the program # Need to divide the time to get seconds as UNIX time is in seconds # and Windows time is in 100 nanosecond increments # Now create datetime object from the converted time # Display the timestamp in a human readable form # else # Display user hasn't logged in # 16. Close the E01 file e01helper.close()