search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
370 stars 42 forks source link

FastFind : Failed to parse default configuration #46

Closed ThomasCocquebert closed 3 years ago

ThomasCocquebert commented 3 years ago

Hi,

It's a repost of an issue I posted on the dfir-orc-config github last friday but I think I should have posted it here in the first place.

I'm trying to use FastFind but I have some issues when I try to launch it. I followed instructions to build and configure my DFIR-Orc.exe but everytime I try to use it with FastFind this message appear on my shell : 

FastFind v10.1.0-rc5

IOC Finder

2021-06-11T13:50:17.590Z [C] Failed to parse default configuration [0x80070585: Index non valide.]

I used this version of the DFIR-ORC_embed.xml file when I launched the Configure.cmd file in my dfir-orc-config directory and this version of the DFIR-ORC_config.xml.

DFIR-ORC_embed.xml

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
    <input>.\tools\DFIR-Orc_x86.exe</input>
    <output>.\output\%ORC_OUTPUT%</output>

    <run64 args="WolfLauncher" >7z:#Tools|DFIR-Orc_x64.exe</run64>
    <run32 args="WolfLauncher" >self:#</run32>

    <file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>

    <file name="GetADS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_config.xml"/>
    <file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
    <file name="GetExtAttrs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_config.xml"/>
    <file name="GetTextLogs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_config.xml"/>
    <file name="GetSDS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_config.xml"/>
    <file name="GetCatRoot_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_config.xml"/>
    <file name="GetEVT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_config.xml"/>
    <file name="GetExeTMP_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExeTMP_config.xml"/>
    <file name="GetBrowsersHistory_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersHistory_config.xml"/>
    <file name="GetBrowsersArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersArtefacts_config.xml"/>
    <file name="GetScript_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_config.xml"/>
    <file name="GetErrors_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_config.xml"/>
    <file name="GetSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamples_config.xml" />
    <file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
    <file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
    <file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
    <file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
    <file name="NTFSInfoQuick_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoQuick_config.xml"/>
    <file name="NTFSInfoDetail_systemdrive_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_systemdrive_config.xml"/>
    <file name="NTFSInfoDetail_alldrives_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_alldrives_config.xml"/>
    <file name="GetFuzzyHash_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_config.xml"/>
    <file name="FatInfoDetail_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoDetail_config.xml"/>
    <file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
    <file name="FatInfoFirstBytes_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoFirstBytes_config.xml"/>
    <file name="GetMemDmp_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_config.xml"/>
    <file name="GetResidents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_config.xml"/>

    <file name="GetADS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_offline_config.xml"/>
    <file name="GetArtefacts_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_offline_config.xml"/>
    <file name="GetExtAttrs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_offline_config.xml"/>
    <file name="GetTextLogs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_offline_config.xml"/>
    <file name="GetHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetHives_offline_config.xml"/>
    <file name="GetSDS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_offline_config.xml"/>
    <file name="GetCatRoot_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_offline_config.xml"/>
    <file name="GetScript_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_offline_config.xml"/>
    <file name="GetErrors_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_offline_config.xml"/>
    <file name="GetMemDmp_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_offline_config.xml"/>
    <file name="GetEVT_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_offline_config.xml"/>
    <file name="GetUserHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_offline_config.xml"/>
    <file name="GetEXE_TMP_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEXE_TMP_offline_config.xml"/>
    <file name="GetBrowsersComplet_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersComplet_offline_config.xml"/>
    <!-- <file name="GetYaraSamples_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_offline_config.xml"/> -->
    <file name="GetFuzzyHash_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_offline_config.xml"/>
    <file name="NTFSInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_offline_config.xml"/>
    <file name="GetSAM_hive_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSAM_hive_offline_config.xml"/>
    <file name="FatInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_offline_config.xml"/>
    <file name="GetResidents_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_offline_config.xml"/>

    <file name="NTFSInfo_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_little_config.xml" />
    <file name="GetEVT_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_little_config.xml" />
    <file name="GetSystemHives_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_little_config.xml" />
    <file name="GetArtefacts_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_little_config.xml" />
    <file name="GetScript_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_little_config.xml" />

    <file name="FastFind_config.xml" path=".\%ORC_CONFIG_FOLDER%\FastFind_config.xml" />

    <file name="GetMFT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMFT_config.xml" />

    <file name="yara_rules" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara" />

    <pair name="AUTORUNS"  value="7z:#Tools|autorunsc.exe" />

        <archive name="Tools" format="7z" compression="Ultra">
        <file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>

        <!-- <file name="handle.exe" path=".\tools\handle.exe"/> -->
        <file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
        <!-- <file name="Tcpvcon.exe" path=".\tools\Tcpvcon.exe"/>
        <file name="PsService.exe" path=".\tools\PsService.exe"/>
        <file name="Listdlls.exe" path=".\tools\Listdlls.exe"/>

        <file name="dumpit" path=".\tools\DumpIt.exe" />
        <file name="winpmem" path=".\tools\winpmem.exe" /> -->

    </archive>
</toolembed>

After the Configuration.cmd I have tested DFIR-Orc.exe with this two command lines avalaible on the online documentation of the project here :

.\output\DFIR-Orc.exe NTFSInfo /out=C_drive.csv "C:\"
.\output\DFIR-Orc.exe GetThis /nolimits /sample=ntdll.dll /out=ntdll.7z "C:\"

This command lines worked properly but when I tried to launch the program with FastFind I faced the error message I posted above. In order to use FastFind I use this command line that I found here in an admin Powershell : 

.\output\DFIR-Orc.exe FastFind /config=fastfind.xml /out=fastfind_output.xml

The content of fastfind.xml used in the /config field is the same as the one on the FastFind documentation : 

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="Test 2.0">
    <filesystem>
        <location shadows="yes">%SystemDrive%</location>
        <yara source="yara.rules" block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
        <ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
        <ntfs_find name="ntdll.dll" yara_rule="is_dll"/>
        <ntfs_find name_match="gdi*.dll"/>
        <ntfs_exclude path="\Windows\System32\ntdll.dll"/>
        <ntfs_exclude path_match="\Windows\System32\gdi*.dll"/>
        <ntfs_exclude sha1="c766364efd9c9b5aa3a7140a69f0cf5b147bc476"/>
        <ntfs_exclude size="14966411"/>
        <ntfs_exclude contains="bcryptprimitives.pdb"/>
    </filesystem>
    <registry>
        <location>%SystemDrive%\</location>
        <hive name="NTUSER">
            <ntfs_find name="NTUSER.DAT"/>
            <registry_find key_path="\Software\Microsoft\Internet Explorer\Main" value="Check_Associations" data="no"/>
        </hive>
        <hive name="SOFTWARE">
            <ntfs_find name="SOFTWARE"/>
            <registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth"/>
        </hive>
    </registry>
    <object>
        <object_find type="Mutant" name="foo"/>
        <object_find type="File" name="foobar"/>
    </object>
</fastfind>

I also tried to use this command line in the \output directory but the same error occured.

Do you see why I'm facing this error ? Thanks for your help !

fabienfl-orc commented 3 years ago

Hello, this is a bug with the release candidate branch and the version name. I will fix this for the next RC meanwhile you can use the 10.0.19 version.

The command line 'Orc.exe fastfind /config=fastfind.xml' should work then.

ThomasCocquebert commented 3 years ago

Hi,

Thank you for the tips, Fastfind finally run !

I'm closing this topic.