TypeError: argument 1 must be string, not pyewf.handle

dlcowen / dfirwizard

Example programs used in the automating DFIR series

http://www.hecfblog.com/2015/05/automating-dfir-how-to-series-on_24.html

64 stars 6 forks source link

TypeError: argument 1 must be string, not pyewf.handle #1

Open dmbina opened 7 years ago

dmbina commented 7 years ago

@dlcowen When I run dfirwizard-v5.py code to extract files from my E01 image. I got this message error:

dfirwizard_typeerror

What should I do ? I mean this code makes perfect sense unless pytsk3.Img_Info is a string and the function ewf_Img_Info cannot take a pyewf.handle parameter ?

dlcowen commented 7 years ago

Looks like you have a typo, it's ewf handle not ef

Get Outlook for Androidhttps://aka.ms/ghei36

From: Delvain Sent: Friday, November 18, 9:33 AM Subject: [dlcowen/dfirwizard] TypeError: argument 1 must be string, not pyewf.handle (#1) To: dlcowen/dfirwizard Cc: David Cowen, Mention

@https://github.com/dlcowendlcowenhttps://github.com/dlcowen When I run dfirwizard-v5.py code to extract files from my E01 image. I got this message error:

What should I do ? I mean this code makes perfect sense unless pytsk3.Img_Info is a string and the function ewf_Img_Info cannot take a pyewf.handle parameter ?

You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dlcowen/dfirwizard/issues/1, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFUtkmmZZWzTH3IuhFmZG_v2owL-67Ewks5q_eFugaJpZM4K2u91.

dmbina commented 7 years ago

I did change the type from ef to ewf_handle but I still have the same error... dfirwizard_typeerror2

dmbina commented 7 years ago

You were right it was a typo issue. I solved it when I changed init to init . The double underscores in init got formatted as a single one. But I ran into another issue : tsk3_error

dlcowen commented 7 years ago

Is it a full disk image or just a partition

Get Outlook for Androidhttps://aka.ms/ghei36

From: Delvain notifications@github.com Sent: Sunday, November 20, 2016 4:40:01 PM To: dlcowen/dfirwizard Cc: David Cowen; Mention Subject: Re: [dlcowen/dfirwizard] TypeError: argument 1 must be string, not pyewf.handle (#1)

You were right it was a typo issue. I solved it when I changed init to init . The double underscores in init got formatted as a single one. But I ran into another issue : [tsk3_error]https://cloud.githubusercontent.com/assets/23559224/20467620/b7cef3c0-af50-11e6-885f-bc82b79e1ee5.PNG

You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dlcowen/dfirwizard/issues/1#issuecomment-261818980, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFUtkjUkUlY_ZtCwiPlcqqKHHYFcnCSuks5rAOhhgaJpZM4K2u91.

dmbina commented 7 years ago

It is a full disk image. I created an image of an USB drive (1G) containing two files using Pro Discover. Do i have to install SleuthKit so that pytsk3 can work properly ?

dlcowen commented 7 years ago

No, can you tell me what the partition table shows through the OS?

Get Outlook for Androidhttps://aka.ms/ghei36

From: Delvain notifications@github.com Sent: Sunday, November 20, 2016 9:31:46 PM To: dlcowen/dfirwizard Cc: David Cowen; Mention Subject: Re: [dlcowen/dfirwizard] TypeError: argument 1 must be string, not pyewf.handle (#1)

It is a full disk image. I created an image of an USB drive (1G) containing two files using Pro Discover. Do i have to install SleuthKit so that pytsk3 can work properly ?

You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dlcowen/dfirwizard/issues/1#issuecomment-261847384, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFUtkh0P-869ygxpf68eia_OS_Z-QHLnks5rASzCgaJpZM4K2u91.

dmbina commented 7 years ago

It shows this: partition

dlcowen commented 7 years ago

Can you download and run mmls? It could be the whole disk was formatted and there is no partition table

Get Outlook for Androidhttps://aka.ms/ghei36

From: Delvain notifications@github.com Sent: Sunday, November 20, 2016 11:23:55 PM To: dlcowen/dfirwizard Cc: David Cowen; Mention Subject: Re: [dlcowen/dfirwizard] TypeError: argument 1 must be string, not pyewf.handle (#1)

It shows this: [partition]https://cloud.githubusercontent.com/assets/23559224/20473883/28f25eec-af89-11e6-85b9-36e4db92bdd7.PNG

You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/dlcowen/dfirwizard/issues/1#issuecomment-261862408, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AFUtkhXAjxAWfcfMH1EGnkWai1l46QW2ks5rAUcLgaJpZM4K2u91.

dmbina commented 7 years ago

I know how to run mmls on linux but I don't on windows. And I am actually on Windows 8. But I got this by using diskpart

partition_table

dmbina commented 7 years ago

I managed to get the Volume_Info code working: pytsk3_volume_info it replicates the mmls functionnality But I still got stuck when I tried to access the file system: pytsk3_fs_info