-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes both msource AND local source data? #898
Comments
Very weird, are you using the latest version of the NirSoft binaries? I just did a test on my own system and it did not have any live data processed in the CSV.
Granted, I didn't test the BrowserDownloadsView portion, but I can if needed. Do we know if the screenshot you included is for BrowsingHistoryView or BrowserDownloadsView output? |
Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included). I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output. |
nirsoft is probably following a symlink blindly
Eric Zimmerman
501-313-3778
…------ Original Message ------
From "Secure Cake" ***@***.***>
To "EricZimmerman/KapeFiles" ***@***.***>
Cc "Subscribed" ***@***.***>
Date 1/4/2024 4:38:05 PM
Subject Re: [EricZimmerman/KapeFiles] NirSoft BrowsingHistoryView and
BrowserDownloadsView module output includes bouth msource AND local
source data? (Issue #898)
Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume?
This only occurs for me when my triage-data (msource) is located on the
OS Volume (C: in my example). If I stage my triage data on a different
volume , the NirSoft output is as expected (no local data included).
I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView
version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the
"history file" column looks pretty much the same for the
BrowsingHistoryView output.
—
Reply to this email directly, view it on GitHub
<#898 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABARKJXHQUNDLCVGZU6U3HTYM4OL3AVCNFSM6AAAAABBNKTJO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZXG44TIOBSG4>.
You are receiving this because you are subscribed to this
thread.Message ID:
***@***.***>
|
E is not my OS drive but that's good context to have. I can test that out next time I'm back at the keyboard. Definitely not a KAPE issue though but maybe there's something we can add in the Module to inform others about this. |
Thank you, Andrew and Eric! As always, appreciate the prompt responses. |
@secure-cake I just tried the following:
and in the Source File column(s) for BrowsingHistoryView output, I have the following:
For the BrowserDownloadsView output, I have the following:
Nothing from my live system so I'm not sure what's going on in your scenario... |
Howdy, @AndrewRathbun and thank you for testing! So...if I stage triage data on the OS volume and their is a user profile on the local system named "User" (note that I don't have to be logged in as "User," the profile just has to exist), I can recreate the above weirdness (inclusion of local data). If I rename the "Users\User" profile folder to "Users\bob" for example, output is as expected. Bottom line, I would never do either (stage data on OS volume or have a user account named "User") in production, but did for testing with a Win 11 Dev VM. I confess I panicked a bit that perhaps I'd polluted actual case data on a previous case based on this odd behavior, but seems like a VERY specific set of unusual circumstances. Sorry for the chasing of wild geese! |
KAPE Version 1.3.0.2
I am collecting artifacts via Velociraptor Offline Collector, staging and processing them via KAPE on an "analysis" workstation. When I populate the artifacts on the C: volume (e.g. c:\cases\test-case\triage_data), then run the NirSoft BrowsingHistoryView or BrowserDownloadsView modules, output includes both the data in the mdest directory (my staged triage data) and data from the live, "analysis" workstation where I executed KAPE.
IMPORTANT NOTE: If I stage my triage collection on an alternate volume on my "analysis" workstation, eg d:\cases\test-case, and run same command as below, just changing the path to reflect the d: drive, results are expected, only including msource data.
Example Command:
.\kape.exe --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui
"Browser Profile Path" results include both the mdest (c:\cases\test-case\triage_data\offline....) and local "c:\users\user\appdata\local\microsoft\edge..." paths.
Console Log for BrowsingHistoryView example:
The text was updated successfully, but these errors were encountered: