search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
390 stars 42 forks source link

GetThis folder output #23

Closed FabiFaust closed 4 years ago

FabiFaust commented 4 years ago

I am trying to output a folder using GetThis for all the collected files, instead of a zip archive. The documentation page mentions that the included output options are not working for GetThis so I have not been able to get it to work.

I have tried using <output name="Artifacts" source="File" argument="/out=Artifacts"/> in the XML config file (using source="Folder" does not work either) It always fails with: (console)

pid=7996  ArtifactModuleFolder: Terminates (exitcode=0x2)
ERROR (The System cannot find the File specified, hr=0x80070002): no file to cab for path C:\correct\path, ignored

When I try adding /out=Artifacts in arguments of the XML config file instead, it always fails with a similar error: (log file)

Copying matching samples to Artifacts
ERROR (The System cannot find the File specified, hr=0x80070003): CreateFile(Artifacts\AmCache\0013000000048E1A_Amcache.hve.LOG2_data) failed
ERROR (The System cannot find the File specified, hr=0x80070003): Failed to create sample file Artifacts\AmCache\0013000000048E1A_Amcache.hve.LOG2_data

The folder is always created in the right place for both versions and the csv and log file stored inside, but never one of the collected files.

jgautier-anssi commented 4 years ago

Hi Fabian, Thank you for your interest in dfir-orc and AmCache is for sure a good source of information! ;-)

Could you share your xml configuration files here so we can better understand what you are trying to achieve?

FabiFaust commented 4 years ago

By default GetThis creates a 7z archive containing all the collected files, the csv and the log files. All I am trying to do is to have it create a normal folder instead, thats all.

Using the config file I have uploaded, GetThis attempts to do this, only to exit mid-way once it is trying to add the collected files into the folder.

ORC uploadconfigs.zip

jgautier-anssi commented 4 years ago

Thank you for sharing the configuration files. I think you found a bug in dfir-orc. The current implementation does not support creating subdirectories under the output directory (i.e. Artifacts1\AmCache in your case). Creating directly the files under Artifacts1 is the advised workaround until we fix this bug. This implies removing the name="AmCache" attribute in your getthis config file. Also, the correct syntax to collect a directory's content is (in your dfir-orc config):

  (I am not 100% sure the filematch is mandatory though)

I am attaching here the files I used to successfully test the workaround.

Please let us know if this works for you. (at least until we fix the underlying bug :-) )

Jean ORC.uploadconfigs.zip

jgautier-anssi commented 4 years ago 
<output name="Artifacts1" source="Directory" filematch="*" argument="/out={FileName}"/>

Sorry, that part got lost

jgautier-anssi commented 4 years ago

Saving for later: The faulty code is probably in "Main::CollectMatchingSamples(const std::wstring& outputdir, ITableOutput& output, SampleSet& MatchingSamples)" (in src\OrcCommand\GetThis_Run.cpp, line 782):

            fs::path sampleFile = output_dir / fs::path(sample_ref.SampleName);

We made sure that output_dir was created but, in this context, SampleName is AmCache\TheActualSampleName.whatever.

FabiFaust commented 4 years ago

It works now, thanks!