Hi,

I have written (mostly copied) a python script (br.txt) using dfvfs to automate the extraction of SOFTWARE registry hive from a forensic image (including volume shadow copies). However, the hive extracted differs in hash (MD5) from the ones extracted using X-Ways and AD FTK Imager.

e.g. cfreds_2015_data_leakage_pc.E01
br.py (using dfvfs)    54449C66393659C1EB5BD98D74AD5E5D
X-Ways                 DE50BC9B74A65373B540796D9FFD9D1F
AD FTK                 DE50BC9B74A65373B540796D9FFD9D1F

I have tried using different forensic images, latest 2 versions of dfvfs, python 2 & 3, but I still encounter this issue.

Steps to reproduce the issue:

1. Rename br.txt to br.py
2. Download cfreds pc image (4x e01 files) from https://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html
3. Create output directory
4. python br.py <downloaded cfreds image> <output directory>

Would appreciate your assistance in resolving the issue, pls.

Regards.