Invalid signature: b'regf'

[sorchaa]

Hello, Im extracting registry files with the litsk3 python librairies with their associated .LOG files. When I test with yarp, the SAM SECURITY and SOFTWARE can be recovered. But when I try with the reg file SYSTEM, I've got the message "yarp.RegistryFile.HiveBinException: "Invalid signature: b'regf'".

If I verify the header of this file, I've this header as the others files. Have you got an idea why it doesn't work for this file ? (ps: The others extracted files can be open without problem)(My test machine is on windows 10).

Best regards,

[msuhanov]

Hello.

1. Can you send me a sample file?
2. Are you trying to export files from a live (running) machine? (So files can be partially modified while being read.)

I'm not aware of any existing issues like this, the error message you quoted means that an expected hive bin (its signature is "hbin") is absent and something else (starting with "regf") is present instead (somewhere in the middle of the file).

[sorchaa]

I will prepare you a sample. I cant send this SYSTEM file because its my own machine. And yes, I export this file from a live machine.

Thx for your answer.

[msuhanov]

If you can't send me this file, can you post several hexadecimal dumps of its bytes from locations listed below? (Screenshots are okay too.)

1. The first 512 bytes of the file.
2. Each location with the "regf" string present (except the beginning of the file)? (Add extra bytes before and after each hit to provide context. Also, make byte offsets within the file visible in the dumps/screenshots.)

[sorchaa]

I prepared you sample files. There is SOFTWARE file and its LOG which works. And a SYSTEM with LOG which not works. They come from a w2016 server. You can find them here: https://drive.google.com/file/d/1YA8Iz5SOmVN9ipTvbdZGrXARwVMeKwH5/view?usp=sharing

[msuhanov]

I have requested access to these files.

[sorchaa]

yes I saw that, you can try now

[msuhanov]

It seems that all six files are damaged.

• SOFTWARE: the first two sectors are repeated at 0x100000, 0x200000, 0x300000, 0x400000, and so on until 0x4000000.
• SOFTWARE.LOG1: the first two sectors are repeated at 0x100000, 0x200000, 0x300000, 0x400000, and so on until 0x1900000.
• SOFTWARE.LOG2: the first two sectors are repeated at 0x100000 and 0x200000.
• SYSTEM: the first two sectors are repeated at 0x100000, 0x200000, 0x300000, 0x400000, and so on until 0xC00000.
• SYSTEM.LOG1: the first two sectors are repeated at 0x100000, 0x200000, 0x300000, and 0x400000.
• SYSTEM.LOG2: the first two sectors are repeated at 0x100000 and 0x200000.

(The interval is 1048576 bytes.)

Thus, I think the tool you are using reads data incorrectly. Can you share a Python script used to read the files?

[sorchaa]

ok, so the error should comes from when I extract theses files ? But if I test this SOFTWARE with yarp, it saids me the file can be recovered, i have the "regf" error with only SYSTEM. I will verify my function which uses libtsk3 which extract those files (but it works with others).

[msuhanov]

There are issues with both hives:

$ yarp-print --no-recovery SOFTWARE > /dev/null
Primary file seems to be truncated, only available keys and values will be printed

$ yarp-print SOFTWARE > /dev/null
Traceback (most recent call last):
  File "/usr/local/bin/yarp-print", line 384, in <module>
    hive.walk_everywhere()
  File "/usr/local/lib/python3.4/dist-packages/yarp/Registry.py", line 401, in walk_everywhere
    process_key(self.root_key())
  File "/usr/local/lib/python3.4/dist-packages/yarp/Registry.py", line 392, in process_key
    for subkey in key.subkeys():
  File "/usr/local/lib/python3.4/dist-packages/yarp/Registry.py", line 640, in subkeys
    list_buf = self.get_cell(list_offset)
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 1174, in get_cell
    raise CellOffsetException('There is no valid cell starting at this offset (relative): {}'.format(cell_relative_offset))
yarp.RegistryFile.CellOffsetException: 'There is no valid cell starting at this offset (relative): 67151872'

$ yarp-print --no-recovery SYSTEM > /dev/null
Primary file seems to be truncated, only available keys and values will be printed

$ yarp-print SYSTEM > /dev/null
Traceback (most recent call last):
  File "/usr/local/bin/yarp-print", line 376, in <module>
    recovery_result = hive.recover_auto(log, log1, log2)
  File "/usr/local/lib/python3.4/dist-packages/yarp/Registry.py", line 326, in recover_auto
    logs_applied = self.recover_new(log1, log2)
  File "/usr/local/lib/python3.4/dist-packages/yarp/Registry.py", line 266, in recover_new
    return self.registry_file.apply_new_log_files(file_object_log_or_log1, file_object_log2, self.log_entry_callback)
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 1395, in apply_new_log_files
    self.apply_new_log_file(first, callback)
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 1356, in apply_new_log_file
    self.build_cell_maps()
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 1140, in build_cell_maps
    for hbin in self.hive_bins():
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 1121, in hive_bins
    curr_hivebin = HiveBin(self.file_object, curr_pos, self.tolerate_minor_errors, self.baseblock.use_old_cell_format)
  File "/usr/local/lib/python3.4/dist-packages/yarp/RegistryFile.py", line 555, in __init__
    raise HiveBinException('Invalid signature: {}'.format(signature))
yarp.RegistryFile.HiveBinException: "Invalid signature: b'regf'"

It's likely that the tool you are using reads 1048576 bytes from a given file and then writes them over and over again to an output file.

[sorchaa]

Good news, I rewrite my extraction function and all works fine. I apologize for this error and I thank you a lot for your help. I will now try to compile all that with pyinstaller and see if it works on all machines.

Best regard,

[msuhanov]

Okay, closing this issue.