Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Profile paths that contain %SystemDrive% require special handling for artifact filters #2327

Closed
joachimmetz opened this issue Feb 2, 2019 · 7 comments
Closed

Profile paths that contain %SystemDrive% require special handling for artifact filters #2327

joachimmetz opened this issue Feb 2, 2019 · 7 comments
Assignees
@joachimmetz
Labels
bug enhancement New or improved functionality
Milestone
2019 March Release

Comments

@joachimmetz
Copy link
Member

joachimmetz commented Feb 2, 2019
edited
Loading

Windows XP user profile paths contain %SystemDrive% this requires an additional expansion when used in artifact filters
@joachimmetz joachimmetz added the needs closer look Issue that requires further analysis by a maintainer label Feb 2, 2019
@ant1
Copy link
Contributor

ant1 commented Feb 2, 2019

With ppa:gift/stable and plaso 20190131

$ log2timeline.py --artifact_filters OperaHistory OperaHistory.plaso xp-tdungan-c-drive.E01 
2019-02-02 10:24:17,862 [INFO] (MainProcess) PID:3480 <data_location> Determined data location: /usr/share/plaso
2019-02-02 10:24:17,932 [INFO] (MainProcess) PID:3480 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OK]


Source path	: /home/xxx/xp-tdungan-c-drive.E01
Source type	: storage media image
Artifact filters	: OperaHistory
Processing time	: 00:00:00

Processing started.
2019-02-02 10:24:32,300 [INFO] (MainProcess) PID:3480 <engine> Preprocessing detected operating systems: Windows NT
2019-02-02 10:24:32,301 [INFO] (MainProcess) PID:3480 <extraction_tool> Parser filter expression set to: winxp,win7
2019-02-02 10:24:36,420 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\Tim/Library/Opera//global_history.dat"
2019-02-02 10:24:36,423 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\LocalService/Library/Opera//global_history.dat"
2019-02-02 10:24:36,423 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "\WINDOWS\system32\config\systemprofile/Library/Opera//global_history.dat"
2019-02-02 10:24:36,423 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\RSydow/Library/Opera//global_history.dat"
2019-02-02 10:24:36,423 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\tdungan/Library/Opera//global_history.dat"
2019-02-02 10:24:36,423 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\NetworkService/Library/Opera//global_history.dat"
2019-02-02 10:24:36,424 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\SRL-Helpdesk/Library/Opera//global_history.dat"
2019-02-02 10:24:36,424 [WARNING] (MainProcess) PID:3480 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\vibranium/Library/Opera//global_history.dat"
2019-02-02 10:24:36,425 [WARNING] (MainProcess) PID:3480 <log2timeline> Unable to build filter specification: Error processing filters, no valid specifications built.

@joachimmetz
Copy link
Member Author

joachimmetz commented Feb 2, 2019
edited
Loading

So the artifact definition OperaHistory does not use %SystemDrive% but %%users.appdata%%

---
name: OperaHistory
doc: Opera browser history (global_history.dat).
sources:
- type: FILE
  attributes: {paths: ['%%users.homedir%%/Library/Opera//global_history.dat']}
  supported_os: [Darwin]
- type: FILE
  attributes: {paths: ['%%users.homedir%%/.opera/global_history.dat']}
  supported_os: [Linux]
- type: FILE
  attributes:
    paths:
      - '%%users.appdata%%\Opera\Opera\global_history.dat'
      - '%%users.appdata%%\Opera Software\Opera Stable\History'
    separator: '\'
  supported_os: [Windows]
supported_os: [Windows,Darwin,Linux]
labels: [Browser]
urls: ['http://www.forensicswiki.org/wiki/Opera']

Which is a variant of issue #2326

@joachimmetz
Copy link
Member Author

joachimmetz commented Feb 2, 2019
edited
Loading

However expansion replaces this with '%SystemDrive%'

2019-02-02 15:43:12,317 [WARNING] (MainProcess) PID:5858 <artifact_filters> The path filter must be defined as an absolute path: "%SystemDrive%\Documents and Settings\LocalService/Library/Opera//global_history.dat"

Looks that double expansion and/or normalization is needed for user profile paths.

@joachimmetz joachimmetz mentioned this issue Feb 2, 2019
Closed
@joachimmetz joachimmetz changed the title Expansion of %SystemDrive% works on a Windows 7 image but not on a Windows XP image Windows XP profile paths require additional expansion of %SystemDrive% for artifacts Feb 2, 2019
@joachimmetz joachimmetz removed the needs closer look Issue that requires further analysis by a maintainer label Feb 2, 2019
@joachimmetz joachimmetz self-assigned this Feb 2, 2019
@joachimmetz joachimmetz changed the title Windows XP profile paths require additional expansion of %SystemDrive% for artifacts Windows XP profile paths require additional expansion of %SystemDrive% for artifact filters Feb 2, 2019
@joachimmetz joachimmetz added the enhancement New or improved functionality label Feb 2, 2019
@joachimmetz
Copy link
Member Author

joachimmetz commented Feb 2, 2019
edited
Loading

After adding changes to strip %SystemDrive% #2328

2019-02-02 16:49:03,929 [WARNING] (MainProcess) PID:7701 <artifact_filters> The path filter must be defined as an absolute path: "\Documents and Settings\vibranium/Library/Opera//global_history.dat"
2019-02-02 16:49:03,929 [WARNING] (MainProcess) PID:7701 <log2timeline> Unable to build filter specification: Error processing filters, no valid specifications built.

Return has the wrong level of indentation https://github.com/log2timeline/plaso/blob/master/plaso/engine/artifact_filters.py#L239 (yeah Python)

After fixing that:

2019-02-02 17:26:20,262 [WARNING] (MainProcess) PID:10511 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Opera\Opera\global_history.dat"

Need expansion of %%users.appdata%% to properly function

@joachimmetz joachimmetz changed the title Windows XP profile paths require additional expansion of %SystemDrive% for artifact filters Profile paths that contain %SystemDrive% require special handling for artifact filters Feb 2, 2019
@joachimmetz joachimmetz added blocked Work cannot progress until another issue is resolved bug labels Feb 2, 2019
@joachimmetz
Copy link
Member Author

Tracking changes for %%users.appdata%% expansion in #2326

@joachimmetz joachimmetz added close after review Issue as outstanding pull request(s) and can be closed once these have been reviewed and merged and removed blocked Work cannot progress until another issue is resolved labels Feb 2, 2019
This was referenced Feb 2, 2019
Closed
Open
@joachimmetz joachimmetz added this to the 2019 February Release milestone Feb 2, 2019
@joachimmetz joachimmetz removed the close after review Issue as outstanding pull request(s) and can be closed once these have been reviewed and merged label Feb 6, 2019
@ant1
Copy link
Contributor

ant1 commented Feb 6, 2019

It seems that %%environ_systemdrive%% needs special handling too

How to reproduce:

log2timeline.py --artifact_filters NTFSMFTFiles NTFSMFTFiles.plaso /media/FOR508/xp-tdungan-10.3.58.7/xp-tdungan-c-drive/xp-tdungan-c-drive.E01

@joachimmetz
Copy link
Member Author

joachimmetz commented Feb 7, 2019
edited
Loading

Ack, any variable that is used needs to be supported. I've created #2343 to track this.

Also artifacts could like use some enforcement to ensure this set of variables is known ForensicArtifacts/artifacts#311

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
bug enhancement New or improved functionality
Projects
None yet
Milestone
2019 March Release
Development

No branches or pull requests
2 participants
@ant1 @joachimmetz