search

DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
370 stars 42 forks source link

GetThis ZIP output : failing configuration by convention #50

Closed DoNck closed 2 years ago

DoNck commented 2 years ago

Hi,

I'm trying to produce zip output from GetThis.

Problem

I tried using both XML configuraiton and specific command line, but I found out that the archives are actually generated using 7-zip format, despite the ".zip" file extension.

I tried to use "zip", "Zip" and "ZIP", but these three options are failing to trigger using the zip compressor.

Steps to reproduce the problem :

  1. create sample txt file in C:\somewhere\file.txt

  2. run:

    DFIR-Orc.exe GetThis /nolimits /sample=t*.txt /out=c:\temp\zip.zip c:\somewhere

  3. Then, from a Linux VM or git bash:

    User@WinDev2108Eval MINGW64 /c/temp
$ file *
zip.zip:      7-zip archive data, version 0.4
7z.7z:        7-zip archive data, version 0.4
ZIPCAPS.ZIP:  7-zip archive data, version 0.4
ZipCamel.Zip: 7-zip archive data, version 0.4

  4. You can also confirm using 7z cli:

    7z l 7z.7z
...
Listing archive: zip.zip
"Open WARNING: Can not open the file as [zip] archive
Type = 7z
...
fabienfl-orc commented 2 years ago

Fixed in upcoming 10.1.0-rc7. I guess it is working with 10.0.x