GetSamples Timeline output location

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows

https://dfir-orc.github.io

GNU Lesser General Public License v2.1

388 stars 42 forks source link

GetSamples Timeline output location #47

Open sirbrowser opened 3 years ago

sirbrowser commented 3 years ago

Hello,

While testing GetSamples command, I try to output a timeline via XML configuration file:

<?xml version="1.0"?>
<GetSamples>
    <Samples MaxTotalBytes="20GB" MaxSampleCount="200000" MaxPerSampleBytes="1GB" />
    <timeline encoding="utf8">GetSamples_timeline.csv</timeline>
    <Autoruns></Autoruns>
</GetSamples>

The timeline is well executed but the output location of the csv file associated is at the same level as the archive generated by DFIR ORC. :

The csv output is not included within the p7b archive:

Is there a way to have the timeline inside the 7z where output files of GetSamples command are located?

Thanks.

jeanga commented 3 years ago

Hi sirbrowser,

Can you share the xml element of your WolfLauncher configuration for this command? If (and how) the output of a command is added to the output archive is usually described in this xml config.

Thank you for trying ou dfir-orc. Jean

sirbrowser commented 3 years ago

Hello,

Here is the xml element related to the GetSamples command :

<command keyword="GetSamples">
            <execute name="DFIR-Orc.exe" run="self:#GetSamples"/>
            <argument>/config=res:#GetSamples_config.xml</argument>
            <output name="GetSamples.7z" source="File" argument="/out={FileName}"/>
            <output name="GetSamples.log" source="StdOutErr"/>
</command>

Thanks

fabienfl-orc commented 2 years ago

GetSamples run GetThis which output GetSamples.7z. Both GetSamples_timeline.csv and GetSamples_sampleinfo.csv are produced by GetSamples. Having everything in one archive would require a significant refactor or rebuilding the GetSamples.7z archive.