我正在尝试输出要加载到系统中的文件的上次登录时间。
但是出现以下错误:
发生异常:
exceptions.IOError
Img_Info_Con:(tsk3.c:96)
无法打开图像:图像文件状态错误
({raw_open
:图片“ /home/apdf/car/WindowsOS.E01”-没有此类文件或目录)
<module>
中的文件“ /home/apdf/cats/PythonRegistrySAM.py”,第41行
这是我的代码:
# 1. Add pytsk3
import pytsk3
# 2. Add Python Registry
from Registry import Registry
# 3. Add pyewf
import pyewf
# 4. Add struct
import struct
# 5. Add datetime to convert Windows timestamps
import datetime
# 44. Add regular expressions module
# Define the helper class based on pytsk3 Img_Info class
class e01_file_helper(pytsk3.Img_Info):
# Define a constructor to setup the object
# It expects a pyewf.handle object
def __init__(self, ewf_handle):
self._ewf_handle = ewf_handle
super(e01_file_helper, self).__init__(url="", type=pytsk3.TSK_IMG_TYPE_EXTERNAL)
# This method overrides Img_info close to close the handle object
def close(self):
self._ewf_handle.close()
# This method overrides the Img_Info read method to read data
# from the handle object rather than image file directly
def read(self, offset, size):
self._ewf_handle.seek(offset)
return self._ewf_handle.read(size)
# This method overrides the Img_Info get_size method to
# get the size of the image from the handle object
def get_size(self):
return self._ewf_handle.get_media_size()
# 6. Create a glob object to read ExampleImageForPyewf.E01 which is an image of DiskImage.RAW
e01_glob = pyewf.glob
e01_glob = raw_input("enter the name of the evidence file: ")
e01_glob = pytsk3.Img_Info(e01_glob)
# 7. Create a handle object which will be used link the E01 file(s) to the program
e01_handle = pyewf.handle()
# 8. Open (link) the E01 file with the handle
e01_handle.open(e01_glob)
# 9. Create the helper object to readE01 file
e01_helper = e01_file_helper(e01_handle)
# 10. Open file system. Note this example is hardwired
# to open the file system at sector 63. Won't work on
# other evidence files
file_system = pytsk3.FS_Info(e01helper, 63 * 512)
# 11. Open the SAM registry file directly
# This should be okay for other Windows as Registry files are
# in the same location for Windows XP, Vista, 7, 8 and 10
sam_file = file_system.open('WINDOWS/system32/config/SAM')
# 12. Read the contents of the SAM file into memory from evidence file
# This is not as dangerous as reading the SOFTWARE file because the SAM
# file isn't as big as the SOFTWARE file. Unless the maximum number of accounts
# has been created as theoretically a Windows PC can have up to 1000000000
# local accounts
sam_file_contents = sam_file.read_random(0, sam_file.info.meta.size)
# 13. Open a file in the local PC called SOFTWARE to store bytes read above
# write as binary
f = open('SAM', 'wb')
# 14. Write the SAM file to local file
f.write(sam_file_contents)
# 15. Close the file before opening with Python Registry
f.close()
# 17. Now open the file written previously with Python Registry
sam_reg = Registry.Registry('SAM')
# 18. Get the Administrator's user key
key = sam_reg.open('SAM\\Domains\\Account\\Users\\000001F4')
# Process F key
# 19. Get the F key data
f_value = key['F']
# 20. Extract 8 bytes from offset 8. Note this is bytes 9 to 16 (inclusive)
# in AccessData Registry Quick Find Chart
last_logon_time_bytes = f_value.value()[8:16]
# 21. Convert the bytes to a little endian large number
last_logon_time_stamp = struct.unpack(',Q', last_logon_time_bytes)
# 22. This constant is necessary to take into account
# the difference between Windows timestamps and UNIX
# timestamps. UNIX timestamps start at 1/1/1970 at midnight
# However, Windows timestamps start at 1/1/1601 at midnight
# The number below is the date midnight 1/1/1970 in Windows format
# By substracting this value from a Windows timestamp value we get
# the time from 1/1/1970 which we can convert into a datetime in Python
# because Python datetime uses UNIX time.
# Only need to do this once in the program
START_OF_UNIX_TIME = 116444736000000000
# 23. Calculate the time in unix time
last_logon_time_in_unix = last_logon_time_stamp[0] - START_OF_UNIX_TIME
# 24. Need to divide the time to get seconds as UNIX time is in seconds
# and Windows time is in 100 nanosecond increments
last_logon_time_in_unix = last_logon_time_in_unix / 10000000
# 25. Now create datetime object from the converted time
last_logon_time = datetime.datetime.utcfromtimestamp(last_logon_time_in_unix)
# 26. Display the timestamp in a human readable form
print "Last logon was %s " % (last_logon_time.strftime('%Y/%m/%d %H:%M:%S'))
# Add code to decode the last time the password was changed and last time failed login
# 27. Decode the number of logins
# 28. Convert to a number
# 29. Display number of logins
# Process V value
# 30. Get V file
# 31. Get bytes where account type is stored
# 32. Convert back to a number
# 33. If the account type number is 0xBC then account is an admin account
# 34. If the account type number is 0xD4 then account is an user account
# 35. If the account type number is 0xB0 then account is guest account
# 36. Get bytes where the offset to username is stored
# 37. Convert back to a number
# 38. Adjust offset
# 39. Get bytes where length of username is stored
# 40. Convert back to a number
# 41. Get username from v value
# 42. Convert back to ASCII
# 43. Display username
# 36. Get bytes where the offset to username is stored
offset_to_username_bytes = v_value.value()[36:40]
# 37. Convert back to a number
offset_to_username = struct.unpack('<L', offset_to_username_bytes)
# 38. Adjust offset
offset_to_username = offset_to_username[0] + 0xCC
# 39. Get bytes where length of username is stored
length_of_username_bytes = v_value.value()[40:44]
# 40. Convert back to a number
length_of_username = struct.unpack('<L', length_of_username_bytes)
# 41. Get username from v value
username = v_value.value()[offset_to_username:offset_to_username+length_of_username[0]]
# 42. Convert back to ASCII
username = username.decode('utf-16')
# 43. Display username
print "The description is %s" % (username)
# Add code to decode description
# Process users
# 45. Open the Users key
# 46. Create a regular expression to match 8 character hexadecimal numbers
# 47. Process the subkeys in the Users key
# 48. Run the Regular expression to check the subkey's name
# Convert the bytes to a little endian large number
# Calculate the time in unix time
# Need to check the time was a positive number because
# it is possible a user account has been created but
# user hasn't logged in yet. Means the value stored will be 0
# Subtract the START_OF_UNIX_TIME will result in a negative
# number and crash the program
# Need to divide the time to get seconds as UNIX time is in seconds
# and Windows time is in 100 nanosecond increments
# Now create datetime object from the converted time
# Display the timestamp in a human readable form
# else
# Display user hasn't logged in
# 16. Close the E01 file
e01helper.close()
不输出登录时间和日期。我该如何解决这个问题?