search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
388 stars 42 forks source link

GetThis output error: Failed to update archive #37

Closed MAL-FOR509 closed 3 years ago

MAL-FOR509 commented 3 years ago

Hello,

I follow the tutorial steps, and in the step "3 - Test the Configuration" when I run the following command: .\output\DFIR-Orc.exe GetThis /nolimits /sample=ntdll.dll /out=ntdll.7z "C:\"

I hahe the error output:

... 2021-02-16T22:49:42.274Z [T] Record 281474977160597 entry is null, skipped 2021-02-16T22:49:42.274Z [T] Record 281474977160612 entry is null, skipped 2021-02-16T22:49:42.274Z [T] Record 844424930581957 entry is null, skipped 2021-02-16T22:49:42.274Z [D] Done! 2021-02-16T22:49:42.275Z [D] MFT Walker statistics: Done 2021-02-16T22:49:42.275Z [D] Map Count: 450001 2021-02-16T22:49:42.295Z [T] Total -> Available: 0, Directories: 0, Not parsed: 0, Incomplete: 0 2021-02-16T22:49:42.404Z [D] Archive7z: SetCompressionLevel to 4 2021-02-16T22:49:42.405Z [E] Failed to update archive [0x80070057: The parameter is incorrect.] 2021-02-16T22:49:42.427Z [E] Failed to compress 'GetThis.7z' [-2147024809] 2021-02-16T22:49:42.427Z [D] Archive7z: SetCompressionLevel to 4 2021-02-16T22:49:42.428Z [E] Failed to update compression level to 4 [0x80070057: The parameter is incorrect.] 2021-02-16T22:49:42.428Z [E] Failed to compress stream [0x80070057: The parameter is incorrect.] 2021-02-16T22:49:42.428Z [E] Failed to flush stream [0x80070057: The parameter is incorrect.] 2021-02-16T22:49:42.428Z [E] Failed to close archive [-2147024809] 2021-02-16T22:49:42.436Z [C] Dump log backtrace due to some previously encoutered error(s). This could probably be ignored, you may NOT have encoutered any critical error. Error levels are being reevaluated and this backtrace could help in case of mistakes. 2021-02-16T22:49:42.493Z [I] ** Backtrace End ****

If I set csv file in output, I have

... 2021-02-17T00:25:48.892Z [T] EnumProcess 'VSSVC.exe' 2021-02-17T00:25:48.892Z [T] EnumProcess 'DFIR-Orc.exe' 2021-02-17T00:25:48.892Z [T] EnumProcess 'WmiPrvSE.exe' 2021-02-17T00:25:48.892Z [D] Opening 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' for ressource 'vssapi.dll' of type 'VALUES' 2021-02-17T00:25:48.892Z [D] Opening 'C:\Windows\explorer.exe' for ressource 'vssapi.dll' of type 'VALUES' 2021-02-17T00:25:48.893Z [D] ExtensionLibrary: Loaded 'vssapi.dll' successfully 2021-02-17T00:25:48.893Z [D] ExtensionLibrary: Loaded 'C:\WINDOWS\SYSTEM32\vssapi.dll' successfully 2021-02-17T00:25:48.893Z [D] TryLoad succeeded for reference 'vssapi.dll' 2021-02-17T00:25:48.893Z [D] Failed GetProcAddress on 'CreateVssBackupComponents' [0x8007007f: The specified procedure could not be found.] 2021-02-17T00:25:48.893Z [D] Library class Orc::VssAPIExtension is loaded and initialized 2021-02-17T00:25:48.900Z [W] Failed to initalise VSS service, most likely cause: you are running a 32 bits process on x64 system [0x80042302: unknown error] 2021-02-17T00:25:48.900Z [W] VSS functionatility is not available [0x80042302: unknown error] 2021-02-17T00:25:48.900Z [T] End of location enumeration 2021-02-17T00:25:48.900Z [E] None of the supported output for option /Out matched out=ntdll.csv 2021-02-17T00:25:48.956Z [C] Failed to parse command line arguments [0x80070057: The parameter is incorrect.] 2021-02-17T00:25:49.131Z [I] ** Backtrace End ****

And a directory:

... 2021-02-17T00:26:39.368Z [T] Record 281474977198242 entry is null, skipped 2021-02-17T00:26:39.368Z [T] Record 2251799814172836 entry is null, skipped 2021-02-17T00:26:39.368Z [D] Done! 2021-02-17T00:26:39.368Z [D] MFT Walker statistics: Done 2021-02-17T00:26:39.368Z [D] Map Count: 487583 2021-02-17T00:26:39.384Z [T] Total -> Available: 0, Directories: 0, Not parsed: 0, Incomplete: 0 2021-02-17T00:26:39.491Z [C] Dump log backtrace due to some previously encoutered error(s). This could probably be ignored, you may NOT have encoutered any critical error. Error levels are being reevaluated and this backtrace could help in case of mistakes. 2021-02-17T00:26:39.572Z [I] ** Backtrace End ****

A directory is created, but remains empty

I have no issue with the previous command line like .\output\DFIR-Orc.exe NTFSInfo /out=C_drive.csv "C:\" or .\DFIR-Orc_x64.exe NTFSUtil /USN "\\.\c:" I find a similar topic, recommended to run it with /Compression=Fastest or lower; but the result is the same. I also run it on another workstation, it doesn't change anything.

Any idea?

fabienfl-orc commented 3 years ago

Reproduced the multiples issues with 10.1.0-rc4 and kind of with 10.0.17 (same lack of results but with different log output).

Archive output

I think this is a lack of memory despite of the log messages.

The image run with this command line is a 32-bit DFIR-Orc (this is expected). When running DFIR-Orc with any tool specified it will not create any 64 bit child process as it would without. As the NTFS parser consumes a LOT of memory (it was designed for speed over pre-w10 smaller MFTs) it could go over 2GB memory usage (on my host it is likely 3GB).

Your XML configuration could be ok, try running DFIR-Orc without specifying tool or use '/key' to limit execution to a subset of the configuration.

NTFS parser needs some attention and hopefully will have soon. I will investigate why log message are not more evocative...

CSV output

As of csv output specified with '/out' : this is expected behavior and it is not supported.

Directory output

This is a regression that will be fix in 10.1.0-rc5 or eventually 10.0.18.

Thank you

MAL-FOR509 commented 3 years ago

Hello @fabienfl-orc

Archive Output

I have 16Go RAM on my workstation; of which 10 Go RAM free

Here is the result of DFIR-Orc.exe

PS C:\Tools\dfir-orc-config> .\output\DFIR-Orc.exe Mothership v10.1.0-rc2-28-g932588c

Parameters Start time: 2021-02-17T16:53:29.584Z Computer name: DESKTOP-Boubou Operating system: Microsoft Windows 10 Professional (build 19042), 64-bit User: DESKTOP-Boubou\Boubou (elevated) System type: WorkStation System tags: OSBuild#19042, Release#2009, Windows, Windows10, WorkStation, x64 No wait: Off Preserve job: Off

WolfLauncher v10.1.0-rc2-28-g932588c

DFIR-ORC command scheduler

Parameters Start time: 2021-02-17T16:53:29.954Z Computer name: DESKTOP-Boubou Operating system: Microsoft Windows 10 Professional (build 19042), 64-bit User: DESKTOP-Boubou\Boubou (elevated) System type: WorkStation System tags: OSBuild#19042, Release#2009, Windows, Windows10, WorkStation, x64 Recipients: None Output: C:\Tools\dfir-orc-config (directory, utf-8) TempDir: C:\Users\Boubou\AppData\Local\Temp\WorkingTemp (directory, utf-8) Child debug: Off CreateNew: Off Once: Off Overwrite: Off Repeat behavior: Offline: Log file: C:\Tools\dfir-orc-config\DFIR-ORC_WorkStation_DESKTOP-Boubou_20210217_165329.log Outline file: C:\Tools\dfir-orc-config\DFIR-ORC_WorkStation_DESKTOP-Boubou.json Priority: Low Power State: Key selection: None Enable keys: None Disable keys: None

Command set 'Main' Parameters UseEncryptionJournal: On Debug: Off RepeatBehavior: Once (skip commands set if output file exist)

2021-02-17T16:53.32Z Main Archive Started 2021-02-17T16:53.32Z Main SystemInfo Started (pid: 2756) 2021-02-17T16:53.32Z Main Processes Started (pid: 7616) 2021-02-17T16:53.33Z Main Processes Successfully terminated (pid: 7616) 2021-02-17T16:53.33Z Main GetEvents Started (pid: 8056) 2021-02-17T16:53.34Z Main SystemInfo Successfully terminated (pid: 2756) 2021-02-17T16:53.35Z Main Autoruns Started (pid: 1208) 2021-02-17T16:53.45Z Main GetEvents Terminated with an error (pid: 8056, exit code: 0xf) 2021-02-17T16:53.45Z Main NTFSInfo Started (pid: 2756) 2021-02-17T16:53.58Z Main Autoruns Successfully terminated (pid: 1208) 2021-02-17T16:53.58Z Main FatInfo Started (pid: 16172) 2021-02-17T16:54.29Z Main FatInfo Terminated with an error (pid: 16172, exit code: 0xf) 2021-02-17T16:54.29Z Main USNInfo Started (pid: 14820) 2021-02-17T16:55.00Z Main NTFSInfo Terminated with an error (pid: 2756, exit code: 0x17) 2021-02-17T16:55.00Z Main GetArtefacts Started (pid: 10116) 2021-02-17T16:55.01Z Main Archive Add file: autoruns.csv (112 KB) 2021-02-17T16:55.01Z Main Archive Add file: autoruns.log (N/A) 2021-02-17T16:55.01Z Main Archive Add file: Event.7z (2 MB) 2021-02-17T16:55.01Z Main Archive Add file: Event.log (53 KB) 2021-02-17T16:55.01Z Main Archive Add file: FatInfo.7z (54 KB) 2021-02-17T16:55.01Z Main Archive Add file: FatInfo.log (35 KB) 2021-02-17T16:55.01Z Main Archive Add file: NTFSInfo.7z (22 MB) 2021-02-17T16:55.01Z Main Archive Add file: NTFSInfo.log (45 KB) 2021-02-17T16:55.03Z Main Archive Add file: NTFSInfo_i30Info.7z (13 MB) 2021-02-17T16:55.03Z Main Archive Add file: NTFSInfo_SecDesc.7z (100 KB) 2021-02-17T16:55.03Z Main Archive Add file: processes.csv (230 KB) 2021-02-17T16:55.04Z Main Archive Add file: processes.log (N/A) 2021-02-17T16:55.04Z Main Archive Add file: Systeminfo.csv (1 KB) 2021-02-17T16:57.38Z Main USNInfo Terminated with an error (pid: 14820, exit code: 0xf) 2021-02-17T16:57.39Z Main Archive Add file: USNInfo.7z (15 MB) 2021-02-17T16:57.39Z Main Archive Add file: USNInfo.log (39 KB) 2021-02-17T16:57.43Z Main GetArtefacts Terminated with an error (pid: 10116, exit code: 0x10) 2021-02-17T16:57.44Z Main Archive Add file: Artefacts.7z (17 MB) 2021-02-17T16:57.44Z Main Archive Add file: Artefacts.log (86 KB) 2021-02-17T16:57.44Z Main Archive Add file: Config.xml (5 KB) 2021-02-17T16:57.44Z Main Archive Add file: JobStatistics.csv (590 B) 2021-02-17T16:57.44Z Main Archive Add file: ProcessStatistics.csv (1 KB) 2021-02-17T16:57.45Z Main Archive Completed: DFIR-ORC_WorkStation_DESKTOP-Boubou_Main.7z (70 MB) 2021-02-17T16:57.45Z Main Archive Ended (output: 70108939 bytes, elapsed: 00:04:13)

Command set 'Hives' Parameters UseEncryptionJournal: On Debug: Off RepeatBehavior: Once (skip commands set if output file exist)

2021-02-17T16:57.45Z Hives Archive Started 2021-02-17T16:57.45Z Hives GetSystemHives Started (pid: 16344) 2021-02-17T16:57.45Z Hives GetUserHives Started (pid: 14136) 2021-02-17T16:58.07Z Hives GetSystemHives Terminated with an error (pid: 16344, exit code: 0xf) 2021-02-17T16:58.07Z Hives GetSamHive Started (pid: 7612) 2021-02-17T16:58.30Z Hives GetSamHive Terminated with an error (pid: 7612, exit code: 0xf) 2021-02-17T16:58.30Z Hives GetUserHives Terminated with an error (pid: 14136, exit code: 0xf) 2021-02-17T16:58.30Z Hives Archive Add file: Config.xml (5 KB) 2021-02-17T16:58.30Z Hives Archive Add file: JobStatistics.csv (581 B) 2021-02-17T16:58.30Z Hives Archive Add file: ProcessStatistics.csv (647 B) 2021-02-17T16:58.30Z Hives Archive Add file: SAM.7z (10 KB) 2021-02-17T16:58.30Z Hives Archive Add file: SAM.log (41 KB) 2021-02-17T16:58.30Z Hives Archive Add file: SystemHives.7z (22 MB) 2021-02-17T16:58.30Z Hives Archive Add file: SystemHives.log (37 KB) 2021-02-17T16:58.30Z Hives Archive Add file: UserHives.7z (3 MB) 2021-02-17T16:58.30Z Hives Archive Add file: UserHives.log (43 KB) 2021-02-17T16:58.32Z Hives Archive Completed: DFIR-ORC_WorkStation_DESKTOP-Boubou_Hives.7z (26 MB) 2021-02-17T16:58.32Z Hives Archive Ended (output: 26364706 bytes, elapsed: 00:00:46)

DFIR-Orc WolfLauncher statistics Warning(s): 2 Error(s): 0 Critical error(s): 0 Finish time: 2021-02-17T16:58:32.131Z Elapsed time: 5 min(s), 2 sec(s), 172 msecs

Statistics Warning(s): 0 Error(s): 0 Critical error(s): 0 Finish time: 2021-02-17T16:58:32.147Z Elapsed time: 5 min(s), 2 sec(s), 563 msecs

And inside the Main archive

Directory: C:\Tools\dfir-orc-config\DFIR-ORC_WorkStation_DESKTOP-Boubou_Main

Mode LastWriteTime Length Name ------ 2/17/2021 5:57 PM 17069404 Artefacts.7z ------ 2/17/2021 5:57 PM 86477 Artefacts.log ------ 2/17/2021 5:55 PM 112848 autoruns.csv ------ 2/17/2021 5:55 PM 0 autoruns.log ------ 2/17/2021 5:57 PM 5879 Config.xml ------ 2/17/2021 5:55 PM 2152528 Event.7z ------ 2/17/2021 5:55 PM 53492 Event.log ------ 2/17/2021 5:55 PM 54660 FatInfo.7z ------ 2/17/2021 5:55 PM 35776 FatInfo.log ------ 2/17/2021 5:57 PM 590 JobStatistics.csv ------ 2/17/2021 5:55 PM 22010487 NTFSInfo.7z ------ 2/17/2021 5:55 PM 45006 NTFSInfo.log ------ 2/17/2021 5:55 PM 13576378 NTFSInfo_i30Info.7z ------ 2/17/2021 5:55 PM 100968 NTFSInfo_SecDesc.7z ------ 2/17/2021 5:55 PM 230665 processes.csv ------ 2/17/2021 5:55 PM 0 processes.log ------ 2/17/2021 5:57 PM 1332 ProcessStatistics.csv ------ 2/17/2021 5:55 PM 1890 Systeminfo.csv ------ 2/17/2021 5:57 PM 15057360 USNInfo.7z ------ 2/17/2021 5:57 PM 39827 USNInfo.log

Thank you,

fabienfl-orc commented 3 years ago

After digging there is also an issue with GetThis and 7z output under x86 (only). The bug is fixed, I will include the fix in next 10.0.x and 10.1.x versions

MAL-FOR509 commented 3 years ago

@fabienfl-orc

Ok cool!

Nice to heard that :)

Thank you for your help

fabienfl-orc commented 3 years ago

After checking code, 10.0.x is not affected by 7z output when using GetThis (32 bits or 64 bits)