API tools faq
paste
UY-Scuti

Untitled

UY-Scuti
Jul 12th, 2019
143
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.79 KB | None | 0 0
raw download clone embed print report
  1. pytsk is a Python binding for the SleuthKit. The SleuthKit is a complete filesystem analysis tool. https://github.com/py4n6/pytsk
  2.  
  3. import pytsk3
  4. import os
  5.  
  6. imagefile = "/evidence/laptop.img"
  7. imagehandle = pytsk3.Img_Info(imagefile)
  8. partitionTable = pytsk3.Volume_Info(imagehandle)
  9.  
  10. list_of_partitions = []
  11. display_info = []
  12.  
  13.  
  14. for partition in partitionTable:
  15. print(partition.addr, partition.desc.decode("utf-8"), partition.len, partition.start)
  16. list_of_partitions.append(partition) #takes each partition and puts it into the list_of_partitions above
  17.  
  18. 0 Primary Table (#0) 1 0
  19. 1 Unallocated 2048 0
  20. 2 NTFS / exFAT (0x07) 204800 2048
  21. 3 NTFS / exFAT (0x07) 125620224 206848
  22. 4 Unallocated 2048 125827072
  23.  
  24. The fourth partition is the largest and probably the one we want.
  25.  
  26. c_drive = list_of_partitions[3]
  27. #We need to open the whole image and seek to the offset where the volume starts
  28. filesystemObject = pytsk3.FS_Info(imagehandle, offset=(c_drive.start*512))
  29.  
  30. #Since probably we need to list files than once, lets make it a function!
  31. def listFilesAndFolders(strpath):
  32. directoryObject = filesystemObject.open_dir(path=strpath)
  33. for entryObject in directoryObject:
  34. fs_object = entryObject.info.name.name.decode('utf-8')
  35. print(os.path.join(strpath,fs_object))
  36.  
  37. listFilesAndFolders('/Windows/System32/config')
  38.  
  39. #("/") used to get to root, and see most valuable file = $MFT
  40. #('/Windows/')
  41. #("/Users/peter/appdata/roaming/microsoft/windows/recent") # remove "#" and join together for all info
  42.  
  43.  
  44.  
  45. /Windows/System32/config/.
  46. /Windows/System32/config/..
  47. /Windows/System32/config/COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
  48. /Windows/System32/config/SECURITY.LOG2
  49. /Windows/System32/config/BCD-Template
  50. /Windows/System32/config/BCD-Template.LOG
  51. /Windows/System32/config/COMPONENTS
  52. /Windows/System32/config/COMPONENTS.LOG
  53. /Windows/System32/config/COMPONENTS.LOG1
  54. /Windows/System32/config/COMPONENTS.LOG2
  55. /Windows/System32/config/COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TM.blf
  56. /Windows/System32/config/COMPONENTS{6cced2ed-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
  57. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.1.regtrans-ms
  58. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.blf
  59. /Windows/System32/config/COMPONENTS{a0ee2d85-a280-11e9-973f-784f436107a8}.TM.blf
  60. /Windows/System32/config/COMPONENTS{a0ee2d85-a280-11e9-973f-784f436107a8}.TMContainer00000000000000000001.regtrans-ms
  61. /Windows/System32/config/COMPONENTS{a0ee2d85-a280-11e9-973f-784f436107a8}.TMContainer00000000000000000002.regtrans-ms
  62. /Windows/System32/config/TxR
  63. /Windows/System32/config/DEFAULT
  64. /Windows/System32/config/DEFAULT.LOG
  65. /Windows/System32/config/DEFAULT.LOG1
  66. /Windows/System32/config/DEFAULT.LOG2
  67. /Windows/System32/config/Journal
  68. /Windows/System32/config/RegBack
  69. /Windows/System32/config/SAM
  70. /Windows/System32/config/SAM.LOG
  71. /Windows/System32/config/SAM.LOG1
  72. /Windows/System32/config/SAM.LOG2
  73. /Windows/System32/config/SECURITY
  74. /Windows/System32/config/SECURITY.LOG
  75. /Windows/System32/config/SECURITY.LOG1
  76. /Windows/System32/config/SECURITY.LOG1
  77. /Windows/System32/config/SOFTWARE
  78. /Windows/System32/config/SOFTWARE.LOG
  79. /Windows/System32/config/SOFTWARE.LOG1
  80. /Windows/System32/config/SOFTWARE.LOG2
  81. /Windows/System32/config/SYSTEM
  82. /Windows/System32/config/SYSTEM.LOG
  83. /Windows/System32/config/SYSTEM.LOG1
  84. /Windows/System32/config/SYSTEM.LOG2
  85. /Windows/System32/config/systemprofile
  86. /Windows/System32/config/TxR
  87. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.1.regtrans-ms
  88. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.2.regtrans-ms
  89. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.0.regtrans-ms
  90. /Windows/System32/config/COMPONENTS{a0ee2d84-a280-11e9-973f-784f436107a8}.TxR.2.regtrans-ms
  91.  
  92. from datetime import datetime
  93.  
  94. def carvefile(path):
  95. print("\nCarving %s " % path)
  96. fileobject = filesystemObject.open(path)
  97. filename = path.split('/')[-1]
  98. print ("File Inode:",fileobject.info.meta.addr)
  99. print ("File Name:",fileobject.info.name.name)
  100. print ("File Creation Time:",datetime.fromtimestamp(fileobject.info.meta.crtime).strftime('%Y-%m-%d %H:%M:%S'))
  101. with open(filename, 'wb') as outputfile:
  102. filedata = fileobject.read_random(0,fileobject.info.meta.size)
  103. outputfile.write(filedata)
  104.  
  105. carvefile("/Windows/System32/config/SAM")
  106.  
  107.  
  108. Carving /Windows/System32/config/SAM
  109. File Inode: 41272
  110. File Name: b'SAM'
  111. File Creation Time: 2009-07-14 02:03:40
  112.  
  113. import hashlib
  114. with open("SAM",'rb') as inputfile:
  115. hash_object = hashlib.md5(inputfile.read())
  116. print(hash_object.hexdigest())
  117.  
  118. 38629284a412203ed22dc82a5c55c885
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!