Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes both msource AND local source data? #898

Open
secure-cake opened this issue Jan 4, 2024 · 7 comments
Assignees
Labels
bug Something isn't working

Comments

@secure-cake
Copy link

secure-cake commented Jan 4, 2024

KAPE Version 1.3.0.2

I am collecting artifacts via Velociraptor Offline Collector, staging and processing them via KAPE on an "analysis" workstation. When I populate the artifacts on the C: volume (e.g. c:\cases\test-case\triage_data), then run the NirSoft BrowsingHistoryView or BrowserDownloadsView modules, output includes both the data in the mdest directory (my staged triage data) and data from the live, "analysis" workstation where I executed KAPE.

IMPORTANT NOTE: If I stage my triage collection on an alternate volume on my "analysis" workstation, eg d:\cases\test-case, and run same command as below, just changing the path to reflect the d: drive, results are expected, only including msource data.

Example Command:
.\kape.exe --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui

"Browser Profile Path" results include both the mdest (c:\cases\test-case\triage_data\offline....) and local "c:\users\user\appdata\local\microsoft\edge..." paths.

image
image

Console Log for BrowsingHistoryView example:

[2024-01-04 10:03:38.4622603 | INF] KAPE directory: C:\tools\KAPE
[2024-01-04 10:03:38.4790135 | INF] Command line:   --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\ --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui 
[2024-01-04 10:03:38.4956785 | INF] System info: Machine name: WINDEV2311EVAL, 64-bit: true, User: User OS: "Windows10" (10.0.22621)
[2024-01-04 10:03:40.9384267 | INF] Using Module operations
[2024-01-04 10:03:40.9841873 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 10:03:40.9864295 | INF] Discovered 1 processor to run
[2024-01-04 10:03:40.9864295 | INF] Executing modules with file masks...
[2024-01-04 10:03:41.0026688 | INF] Executing remaining modules...
[2024-01-04 10:03:41.0026688 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma C:\cases\test-case\kape_nirsoft_output\WebBrowsers\BrowsingHistory.csv
[2024-01-04 10:03:41.0346128 | WRN]     Output file updated to C:\cases\test-case\kape_nirsoft_output\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 10:03:42.9003604 | INF] Executed 1 processor in 1.9440 seconds
[2024-01-04 10:03:42.9160727 | INF] Total execution time: 1.9662 seconds
@AndrewRathbun AndrewRathbun self-assigned this Jan 4, 2024
@AndrewRathbun
Copy link
Collaborator

Very weird, are you using the latest version of the NirSoft binaries? I just did a test on my own system and it did not have any live data processed in the CSV.

[2024-01-04 16:15:40.2657500 | INF] KAPE directory: E:\KAPE
[2024-01-04 16:15:40.2732603 | INF] Command line:   --msource E:\ToolOutput\browsingHistoryTest\tout\C --mdest E:\ToolOutput\browsingHistoryTest\mout --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui 
[2024-01-04 16:15:40.2747651 | INF] System info: Machine name: ANDREW-PERSONAL, 64-bit: true, User: Andrew Rathbun OS: "Windows10" (10.0.22635)
[2024-01-04 16:15:40.4055802 | DBG]   Validating configuration files
[2024-01-04 16:15:41.0894534 | DBG] 309 targets and 446 modules validated successfully
[2024-01-04 16:15:41.0904550 | INF] Using Module operations
[2024-01-04 16:15:41.0959451 | INF]   Module NirSoft_BrowsingHistoryView: Found 2 processors
[2024-01-04 16:15:41.0984553 | DBG]   NirSoft_BrowsingHistoryView (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1004567 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1035197 | INF]   Module NirSoft_WebBrowserDownloads: Found 1 processor
[2024-01-04 16:15:41.1035197 | DBG]   NirSoft_WebBrowserDownloads (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1045250 | INF]     Found processor Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1055248 | INF] Discovered 2 processors to run
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_BrowsingHistoryView, Processor: Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False  , Category: WebBrowsers , Export file: NirSoftBrowsingHistoryViewConsoleOutput.txt
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_WebBrowserDownloads, Processor: Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False  , Category: WebBrowsers 
[2024-01-04 16:15:41.1075232 | INF] Executing modules with file masks...
[2024-01-04 16:15:41.1085256 | INF] Executing remaining modules...
[2024-01-04 16:15:41.1095250 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder E:\ToolOutput\browsingHistoryTest\tout\C\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\BrowsingHistory.csv
[2024-01-04 16:15:41.1259448 | WRN]     Output file updated to E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 16:15:44.4232409 | WRN]   ** Cannot find executable BrowserDownloadsView.exe in directory E:\KAPE\Modules\NirSoft_WebBrowserDownloads or E:\KAPE\Modules\bin. Aborting execution and skipping any further modules using this executable
[2024-01-04 16:15:44.4262404 | INF] Executed 2 processors in 3.3334 seconds
[2024-01-04 16:15:44.4292400 | INF] Total execution time: 3.3391 seconds

Granted, I didn't test the BrowserDownloadsView portion, but I can if needed. Do we know if the screenshot you included is for BrowsingHistoryView or BrowserDownloadsView output?

@secure-cake
Copy link
Author

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

@EricZimmerman
Copy link
Owner

EricZimmerman commented Jan 4, 2024 via email

@AndrewRathbun
Copy link
Collaborator

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

E is not my OS drive but that's good context to have. I can test that out next time I'm back at the keyboard. Definitely not a KAPE issue though but maybe there's something we can add in the Module to inform others about this.

@secure-cake
Copy link
Author

Thank you, Andrew and Eric! As always, appreciate the prompt responses.

@AndrewRathbun
Copy link
Collaborator

@secure-cake I just tried the following:

.\kape.exe --msource C:\temp\browsingHistoryTest\tout\C --mdest C:\temp\browsingHistoryTest\mout --mflush --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui

and in the Source File column(s) for BrowsingHistoryView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

For the BrowserDownloadsView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default

Nothing from my live system so I'm not sure what's going on in your scenario...

@AndrewRathbun AndrewRathbun added the bug Something isn't working label Jan 5, 2024
@secure-cake
Copy link
Author

Howdy, @AndrewRathbun and thank you for testing! So...if I stage triage data on the OS volume and their is a user profile on the local system named "User" (note that I don't have to be logged in as "User," the profile just has to exist), I can recreate the above weirdness (inclusion of local data). If I rename the "Users\User" profile folder to "Users\bob" for example, output is as expected.

Bottom line, I would never do either (stage data on OS volume or have a user account named "User") in production, but did for testing with a Win 11 Dev VM. I confess I panicked a bit that perhaps I'd polluted actual case data on a previous case based on this odd behavior, but seems like a VERY specific set of unusual circumstances.

Sorry for the chasing of wild geese!

@AndrewRathbun AndrewRathbun changed the title NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes bouth msource AND local source data? NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes both msource AND local source data? May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants