jeanga
commented
1 year ago Hi reynas,
The various limits of getthis were designed to avoid this kind of situation. The "upper" wolflauncher limits kicked in ("Job was authoritatively terminated") to help "control" the resource clog that this unlimited GetThis collection could have unraveled (memory, disk space, ...).
The advice here is to put reasonable limits and use the /reportall option to determine how bad this getthis collection would have been (https://dfir-orc.github.io/GetThis.html#attributes).
Thank you for your interest in dfir-orc!
reynas
Hi
How can the following be prevented or fixed please?
2023-01-06T15:48:48Z General GetArtefacts Started (pid: 53464) 2023-01-06T23:48:47.798Z [W] JOB: Job was autoritatively terminated
Resulting in no artefacts collected in the zip file and a tempstream file of 150GB. I guess this means some of the items that were being collecting were "extreme" in size. (I deliberately did not set size limits)
A second question (if this is intended behavior), how can I know (based on the artefacts log), which files were responsible for this extreme size, can size logging of the found files be turned on somehow?
Thanks!