Python Forum
Cant seem to load my image file
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Cant seem to load my image file
#1
im trying to load a image file so that my program could outout he results of the last logon timeand date but i seem to be getting a error





The error that i seem to be getting is

Exception has occurred: exceptions.TypeError
pyewf_handle_open: argument: files must be a sequence object.
  File "/home/apdf/Myfiles/PythonRegistrySAM.py", line 45, in <module>
# 1. Add pytsk3
import pytsk3
# 2. Add Python Registry
from Registry import Registry
# 3. Add pyewf
import pyewf
# 4. Add struct
import struct
# 5. Add datetime to convert Windows timestamps
import datetime
# 44. Add regular expressions module


# Define the helper class based on pytsk3 Img_Info class
class e01_file_helper(pytsk3.Img_Info):
    # Define a constructor to setup the object
    # It expects a pyewf.handle object
    def __init__(self, ewf_handle):
        self._ewf_handle = ewf_handle
        super(e01_file_helper, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)

    # This method overrides Img_info close to close the handle object
    def close(self):
        self._ewf_handle.close()

    # This method overrides the Img_Info read method to read data
    # from the handle object rather than image file directly
    def read(self, offset, size):
        self._ewf_handle.seek(offset)
        return self._ewf_handle.read(size)

    # This method overrides the Img_Info get_size method to
    # get the size of the image from the handle object
    def get_size(self):
        return self._ewf_handle.get_media_size()

# 6. Create a glob object to read ExampleImageForPyewf.E01 which is an image of DiskImage.RAW

e01_glob = pyewf.glob
e01_glob = raw_input("enter the name of the evidence file: ")
e01_glob = pytsk3.Img_Info(e01_glob)
# 7. Create a handle object which will be used link the E01 file(s) to the program
e01_handle = pyewf.handle()
# 8. Open (link) the E01 file with the handle
e01_handle.open(e01_glob)
# 9. Create the helper object to readE01 file
e01_helper = e01_file_helper(e01_handle)
# 10. Open file system.  Note this example is hardwired
# to open the file system at sector 63.  Won't work on
# other evidence files
file_system = pytsk3.FS_Info(e01helper, 63 * 512)
# 11. Open the SAM registry file directly
# This should be okay for other Windows as Registry files are
# in the same location for Windows XP, Vista, 7, 8 and 10
sam_file = file_system.open('WINDOWS/system32/config/SAM')
# 12. Read the contents of the SAM file into memory from evidence file
# This is not as dangerous as reading the SOFTWARE file because the SAM
# file isn't as big as the SOFTWARE file.  Unless the maximum number of accounts
# has been created as theoretically a Windows PC can have up to 1000000000
# local accounts
sam_file_contents = sam_file.read_random(0, sam_file.info.meta.size)
# 13. Open a file in the local PC called SOFTWARE to store bytes read above
# write as binary
f = open('SAM', 'wb')
# 14. Write the SAM file to local file
f.write(sam_file_contents)
# 15. Close the file before opening with Python Registry
f.close()
# 17. Now open the file written previously with Python Registry
sam_reg = Registry.Registry('SAM')
# 18. Get the Administrator's user key
key = sam_reg.open('SAM\\Domains\\Account\\Users\\000001F4')
# Process F key
# 19. Get the F key data
f_value = key['F']
# 20. Extract 8 bytes from offset 8.  Note this is bytes 9 to 16 (inclusive)
# in AccessData Registry Quick Find Chart
last_logon_time_bytes = f_value.value()[8:16]
# 21. Convert the bytes to a little endian large number
last_logon_time_stamp = struct.unpack(',Q', last_logon_time_bytes)
# 22. This constant is necessary to take into account
# the difference between Windows timestamps and UNIX
# timestamps.  UNIX timestamps start at 1/1/1970 at midnight
# However, Windows timestamps start at 1/1/1601 at midnight
# The number below is the date midnight 1/1/1970 in Windows format
# By substracting this value from a Windows timestamp value we get
# the time from 1/1/1970 which we can convert into a datetime in Python
# because Python datetime uses UNIX time.
# Only need to do this once in the program
START_OF_UNIX_TIME  = 116444736000000000
# 23. Calculate the time in unix time
last_logon_time_in_unix = last_logon_time_stamp[0] - START_OF_UNIX_TIME
# 24. Need to divide the time to get seconds as UNIX time is in seconds
# and Windows time is in 100 nanosecond increments
last_logon_time_in_unix = last_logon_time_in_unix / 10000000
# 25. Now create datetime object from the converted time
last_logon_time = datetime.datetime.utcfromtimestamp(last_logon_time_in_unix)
# 26. Display the timestamp in a human readable form
print "Last logon was %s " % (last_logon_time.strftime('%Y/%m/%d %H:%M:%S'))


# Add code to decode the last time the password was changed and last time failed login


# 27. Decode the number of logins



# 28. Convert to a number



# 29. Display number of logins



# Process V value
# 30. Get V file



# 31. Get bytes where account type is stored



# 32. Convert back to a number



# 33. If the account type number is 0xBC then account is an admin account



# 34. If the account type number is 0xD4 then account is an user account



# 35. If the account type number is 0xB0 then account is guest account



# 36. Get bytes where the offset to username is stored



# 37. Convert back to a number



# 38. Adjust offset



# 39. Get bytes where length of username is stored



# 40. Convert back to a number



# 41. Get username from v value



# 42. Convert back to ASCII



# 43. Display username


# 36. Get bytes where the offset to username is stored
offset_to_username_bytes = v_value.value()[36:40]

# 37. Convert back to a number
offset_to_username = struct.unpack('<L', offset_to_username_bytes)

# 38. Adjust offset
offset_to_username = offset_to_username[0] + 0xCC

# 39. Get bytes where length of username is stored
length_of_username_bytes = v_value.value()[40:44]

# 40. Convert back to a number
length_of_username = struct.unpack('<L', length_of_username_bytes)

# 41. Get username from v value
username = v_value.value()[offset_to_username:offset_to_username+length_of_username[0]]

# 42. Convert back to ASCII
username = username.decode('utf-16')

# 43. Display username
print "The description is %s" % (username)


# Add code to decode description

# Process users
# 45. Open the Users key


# 46. Create a regular expression to match 8 character hexadecimal numbers



# 47. Process the subkeys in the Users key


    # 48. Run the Regular expression to check the subkey's name





        # Convert the bytes to a little endian large number



        # Calculate the time in unix time



        # Need to check the time was a positive number because
        # it is possible a user account has been created but
        # user hasn't logged in yet.  Means the value stored will be 0
        # Subtract the START_OF_UNIX_TIME will result in a negative
        # number and crash the program


            # Need to divide the time to get seconds as UNIX time is in seconds
            # and Windows time is in 100 nanosecond increments


            # Now create datetime object from the converted time


            # Display the timestamp in a human readable form
        # else


            # Display user hasn't logged in




# 16. Close the E01 file
e01helper.close()
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How to sort image files according to a metadata file? Brahmslove 1 1,200 Dec-05-2019, 11:25 PM
Last Post: scidam
  Phyton code to load a comma separated csv file in to a dict and then in to a dB mrsenorchuck 2 1,078 Nov-29-2019, 10:59 AM
Last Post: mrsenorchuck
  Load and format a CSV file fioranosnake 11 1,747 Oct-30-2019, 12:32 PM
Last Post: perfringo
  Load JSON file data into mongodb using pymongo klllmmm 1 8,457 Jun-28-2019, 12:47 AM
Last Post: klllmmm
  write image into string format into text file venkat18 2 1,872 Jun-01-2019, 06:46 AM
Last Post: venkat18
  Fatal Python error: Py_Initialize: unable to load the file system codec ecg1g15 0 1,961 Feb-12-2019, 12:16 PM
Last Post: ecg1g15
  json.load() is making json file into string and not python disctionary Heisenberg 2 1,792 Jun-10-2018, 08:29 AM
Last Post: Larz60+
  How to rewrite image file name based on ocr data.txt kevinchr 0 2,107 Apr-16-2018, 07:09 PM
Last Post: kevinchr
  Using asyncio to read text file and load GUI QueenSvetlana 1 3,029 Nov-09-2017, 02:55 PM
Last Post: heiner55
  it's about using ctypes to load .dll file Yuji3131 1 3,510 Oct-24-2016, 05:58 PM
Last Post: metulburr

Forum Jump:

User Panel Messages

Announcements
Announcement #1 8/1/2020
Announcement #2 8/2/2020
Announcement #3 8/6/2020