search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
388 stars 42 forks source link

CAB support ? #48

Closed DoNck closed 3 years ago

DoNck commented 3 years ago

Hi,

I just gave a try to CAB archives support in DFIR-ORC and I did not manage to get it to work.

Here is the minimal DFIR-ORC_config.xml file I'm using :

<?xml version="1.0" encoding="utf-8"?>

<wolf childdebug="no" command_timeout="600">

    <log disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.log</log>
    <outline disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.json</outline>

    <archive name="7z_test.7z"  keyword="7z" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>

    </archive>

    <archive name="CAB_test.cab"  keyword="cab" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>
    </archive>

    <archive name="ZIP_test.zip"  keyword="zip" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>
    </archive>

</wolf>

I managed to get a 7-ZIP archive using the following command: c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=7z

I managed to get a ZIP archive using the following command: c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=zip

But I could not get a CAB archive using the following command: c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=cab The process gets stuck, I have to press Ctrl+C to exit.

I'm using the official unconfigured build of DFIR-ORC v10.0.20 inside a "developer virtual machine" from Microsoft. Console logs for 7-ZIP and CAB calls are attached to this issue.

Am I missing something or is this a bug ?

Best regards

cab_fail_screenshot console_log_cab.txt console_log_7z.txt

fabienfl-orc commented 3 years ago

Hello, the cab support has been dropped because of the format limitations. There are still some legacy artefacts that need to be removed, sorry about that.