usbdeviceforensics icon indicating copy to clipboard operation
usbdeviceforensics copied to clipboard
verified publisher icon woanware

No output is being written out.

Open coolcalmcollected22 opened this issue 8 years ago • 9 comments

I am not sure what is at issue for me, but when I run the tool it appears as though it is running and the console shows numerous "loading file..." entries and it ends with no error messages, but when it completes nothing is written to the csv output file. Just an csv file with only a header row is created.

Any thoughts?

coolcalmcollected22 avatar Nov 30 '17 19:11 coolcalmcollected22

Try the "--debug" parameter, see if that provides any extra detail?

Are you using a pre-compiled version or the python code directly?

woanware avatar Nov 30 '17 20:11 woanware

I don't see anything obvious (to me anyway). I redirected the console output: usb-debug.txt

And what the console printed during the redirect: usb-debug-console.txt

coolcalmcollected22 avatar Nov 30 '17 21:11 coolcalmcollected22

Are you running this against live registry files? Rather than ones copied out/extracted from a forensic image?

woanware avatar Nov 30 '17 22:11 woanware

No the hives are from a mounted image. I have also ran it against a folder full of files And I was getting the same behavior in both cases. I have used the tool before so I was not sure if there was something I was inadvertently missing. I am on Windows 10 Pro (1703) if that matters.

coolcalmcollected22 avatar Nov 30 '17 22:11 coolcalmcollected22

OK. Can you just copy out the actual hives e.g. SYSTEM, SOFTWARE, NTUSER etc into another directory, then re-run against that directory, using the debug parameter?

If it still comes back with the following error:

"Invalid HBIN ID"

Then it suggests that the registry file header is different for that build and the underlying registry parser doesn't understand it, in which case I will need to look to see if WillB's registry parser needs updating

woanware avatar Nov 30 '17 22:11 woanware

Not a problem. Here is what I get with the reg files and setupapi in a folder by themselves: usb-redirect.txt

Didn't see the invalid text. However, nothing was written to the output file. Here is my command for reference... usbdeviceforensics.py -o C:\xOutput\USB.csv -f csv -d -r C:\xOutput\Test1

coolcalmcollected22 avatar Nov 30 '17 22:11 coolcalmcollected22

Hello. When I started the program I got such the error: e:\Temp\usbdeviceforensics-master\usbdeviceforensics-master>python usbdevicefore nsics.py > 1.txt File "usbdeviceforensics.py", line 473 """ SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in positio n 28-29: truncated \UXXXXXXXX escape What reason can be?

EugeneSam avatar Apr 24 '18 08:04 EugeneSam

@EugeneSam You are redirecting the output to a file? You need to run the script against some registry hives?

woanware avatar Dec 03 '18 19:12 woanware

@pcstopper18 Did you ever get it to work? It might be best to run the script rather than the compiled exe?

woanware avatar Dec 03 '18 19:12 woanware