File Path for pytsk3

[chex2chex]

Please, I need help with file path. I have some code in python where I use pytsk3 to access a file and obtain its attributes. Unfortunately, the path I use works on one computer but not on another. It says ‘‘path not found.’’ Can any one help? The code is as follows:

bytes_per_sector = 512 #Local variable
disk = “\\.\PhysicalDrive0” #Open disk
diskhandle = tsk.Img_Info(disk) #Get handle on disk
diskVolumes = tsk.Volume_Info(diskhandle) #Open partition table
for volume in diskVolumes:
if b’NTFS’ in volume.desc or b’Basic data partition’ in volume.desc: #Partition
fs_handle = tsk.FS_Info(diskhandle, (volume.start * bytes_per_sector)) #Open FS
file_handle = fs_handle.open(’/Users/chex2/Desktop/Trash6/binary.jpg’)

The full error message is FS_Info_open: (tsk3.cpp:260) Unable to open file: Invalid API argument (tsk_fs_file_open: path not found: /Users/Chex2/Desktop/Trash6/binary.jpg).

[joachimmetz]

@chex2chex there is insufficient information here to help you. My assumption from reading this would be that the path does not exist on the second computer.

[joachimmetz]

@chex2chex also using pytsk on a live system might not be the best solution

• internal caching in libsk can lead to inconsistent results
• serious weaknesses in libtsk [1] can lead to exploitation to escalate privileges

[chex2chex]

Thank you for your response. I am trying to obtain cluster runs occupied by a file so I can derive sector addresses. Is there a different way to achieve this? Please advise.

[joachimmetz]

@chex2chex you'll have to be more specific and provide more context. Why do you need sector addresses? What sector addresses are you trying to obtain (physical or logical, relative to start of volume)?

[chex2chex]

Its for a research I am conducting. Either one is fine, the script I wrote initially gets me logical sector addresses, relative to start of volume, I was looking to convert that to physical addresses eventually. It's not working correctly on every computer, so I will appreciate any help I can get. Thank you.

[joachimmetz]

It's not working correctly on every computer, so I will appreciate any help I can get.

As I said before there is insufficient information here to help you. My assumption from reading this would be that the path does not exist on the second computer.

[chex2chex]

You are correct, I found that the 'Users' folder is not accessible from the root directory using my script. But using file explorer I see that it exists in windows. I can also see it using a hex viewer, but when I printed out the contents of the root directory using another script, I only see some system files like $MFT etc. I didn't see the Windows folder or the Users folder so I can't get to the file. I'm not sure I'm making any sense, but its the best way I can explain it. Thank you for your time though.

[joachimmetz]

and are you sure it is a folder not a junction or other type of file entry?

[chex2chex]

It's the Users folder that typically comes with a Windows installation, holds information about user accounts. I am able to access it on one computer and I got to the file on the desktop with my script, but I have looked at 3 other computers and I keep getting the error I shared earlier.

[joachimmetz]

Please read up on NTFS, the "Users folder" can be a Junction, e.g. if it is stored on a different volume

[chex2chex]

Okay, thank you for sharing that information. I'll read up on it.

[chex2chex]

Hi there, I have read several posts on NTFS junction and I have tried several suggestions to determine if the 'Users' folder is a junction on this system but I couldn't determine it for sure. I believe it is likely to be a junction, probably implemented differently from the suggestions I have tried. Assuming it is a junction, do you by any chance have a suggestion on how to access it?

[joachimmetz]

@chex2chex my recommendation, stop using potential outdated and incomplete blog posts as authoritative source, use more authoritative sources like MSDN, system internals

here are my notes about NTFS junctions: https://github.com/libyal/libfsntfs/blob/main/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc#junction_reparse_data

I couldn't determine it for sure

To maybe teach you something, based on what you know how a Junction is stored, what information could you use to determine this?

Assuming it is a junction, do you by any chance have a suggestion on how to access it?

Knowing that junction refers to a different volume, how could you access it?

[chex2chex]

Yes, I tried MSDN and sysinternals. I downloaded a tool written by Mark Russinovich, but I still couldn't make a determination if the folder is a junction.

I believe looking into a different partition should show if the folder is there. So I wrote the following code:

`import pytsk3

phyDrive = "\\.\PhysicalDrive0" block_size = 512 # by default block size is 512 img = pytsk3.Img_Info(phyDrive) # open the physical drive volume = pytsk3.Volume_Info(img) # get volume information for part in volume: if b'NTFS' in part.desc or b'Basic data partition' in part.desc: try: fs_info = pytsk3.FS_Info(img , offset=part.start * block_size) file_handle = fs_info.open("/Users/chex2/Desktop/Trash6/binary.jpg")#Open file to read file_name = file_handle.info.name.name file_name = file_name.decode() #Convert file name from bytes to string file_size = file_handle.info.meta.size print(file_name) print(file_size) except IOError as err: print(err)`

I got the following output: FS_Info_Con: (tsk3.cpp:214) Unable to open the image as a filesystem at offset: 0x18500000 with error: Cannot determine file system type FS_Info_open: (tsk3.cpp:260) Unable to open file: Invalid API argument (tsk_fs_file_open: path not found: /Users/chex2/Desktop/Trash6/binary.jpg)

There are 2 partitions called 'Basic data partition', one of them I could access, but the other I could not access. I suspect that the partition I could not access is where the 'Users' folder is. Unfortunately I haven't done this for very long, I only got introduced to pytsk a few weeks ago, so my knowledge is kind of limited. I appreciate you helping me out with this.

[joachimmetz]

I still couldn't make a determination if the folder is a junction.

what is the Windows native command tool for this?

block_size = 512 # by default block size is 512

are you sure this is the sector (block) size in your case?

Unfortunately I haven't done this for very long, I only got introduced to pytsk a few weeks ago, so my knowledge is kind of limited.

The problem is you're trying to use a specialist tool without the necessary knowledge and understanding. My recommendation get the understanding first; do not try keep hammering in a screw.

I suspect that the partition I could not access is where the 'Users' folder is.

Realize that you are asking me without any details of your system/set up, and I don't have a crystal ball that can give you the answers. What do other tools tell you about the partition and file system layout?

[chex2chex]

I used dir/a and the 'Users' folder does not show up as a junction, I also used other methods in the fsutil library and its not a reparse point either. Yes, block size is 512 in my case. The reason I am using pytsk3 is because I need to get cluster runs for the file eventually. I could use the os library but I won't know how to get cluster runs.

You are right, I don't have the necessary knowledge and understanding but its not due to lack of trying. I have been searching around for over a week, and I'm willing to learn, I just need some guidance, please guide me. I am not asking for anything really specific to my setup, what I am asking is in general, how do we deal with a problem like this?

[joachimmetz]

I also used other methods in the fsutil library and its not a reparse point either.

Good

what I am asking is in general, how do we deal with a problem like this?

(1) understanding what data you are looking at, (2) understanding what pytsk can and cannot do / understanding the error message (3) determining possible reasons why the code is failing and adjusting it so see what solves the issue

However you are not solving the issue in general, you are solving this issue specific to your system on which it is failing.

What do other tools tell you about the partition and file system layout?

[chex2chex]

I have been looking through the internet, I don't see a lot of documentation for pytsk, so I know I may not be interpreting what I see correctly. Most of what I have done with pytsk is by looking at examples. I know the code is failing because the 'Users' folder is not accessible in the main NTFS partition, I had printed out the entire content and didn't find there.

I used a few tools to look at the partition and file system but I could not get any ideas on how to adjust the code. I have some scrrenshots here: I found 2 basic data partition, but I am only able to access 1

I used TSK commands to look at the file system information

I used TSK commands to look at the disk

Are there other tools I could use to help me interpret the data better?

[joachimmetz]

pytsk is basically than a thin wrapper around libtsk

Are there other tools I could use to help me interpret the data better?

Sleuthkit tools are likely most representative for helping debug libtsk/pytsk related issues

can you give me some context about the fls output screenshot I do see 2x Users directories in the output, 1 recovered and 1 allocated, can you run istat on the allocated one

I have been looking through the internet, I don't see a lot of documentation for pytsk, so I know I may not be interpreting what I see correctly.

for debugging issues, documentation about the actual formats might be more useful.

[joachimmetz]

I found 2 basic data partition, but I am only able to access 1

what does a hexdump of the first 512 bytes of the volume look like? the one that is causing the error

[chex2chex]

This is what istat looks like:

[chex2chex]

This is the start of the partition

This is where the file system is supposed to start

[joachimmetz]

This is where the file system is supposed to start

so that looks BitLocker encrypted, libtsk (and therefore pytsk) does not support BitLocker

[joachimmetz]

This is what istat looks like:

can you do the same for all the segment (directories, file entries) in "/Users/chex2/Desktop/Trash6/binary.jpg", up to where the path stops

[chex2chex]

so that looks BitLocker encrypted, libtsk (and therefore pytsk) does not support BitLocker

It looks like using pytsk is going to be more trouble than its worth. I have a solution that works on one PC already, but I just can't get it to work on other systems. It may not be wise to try to solve the problem for each system. Maybe I should look for a solution that is portable across systems.

[joachimmetz]

Maybe I should look for a solution that is portable across systems.

good luck