DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
383 stars 42 forks source link

Feature request: improve the reporting for xml syntax error #8

Closed sydurand closed 4 years ago

sydurand commented 4 years ago

Hello,

For example if I use the config file below for FastFind with a syntax error (missing quote around yara.rules)

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="v0.0">
  <filesystem>
    <location shadows="yes">%SystemDrive%\</location>
    ...
    <yara source=yara.rules block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
    ...
  </filesystem>
</fastfind>

I got the following error message:

FastFind - IOC Finder Version 10.0.2.000
ERROR (hr=0xc00cee24): Failed to parse node filesystem
ERROR (hr=0xc00cee24): Error parsing root fastfind element
ERROR (hr=0xc00cee24): Failed to read config file .\config\FastFind_config.xml
ERROR (hr=0xc00cee24): Failed to lookup and read item schema

It's difficult to spot the error quickly. Is it possible to improve the reporting for this kind of error ?

Thanks,

jgautier-anssi commented 4 years ago

Hi sydurand,

I have just updated the dev branch with more detailed diagnostic information. If you can give it a try, I would welcome the feedback!

Keep the feedback coming! Jean

sydurand commented 4 years ago

Hi Jean,

Thank you for the quick improvement, it really helps to spot the syntax error more easily. Just a little remark, if I omit a mandatory element the error message doesn't tell me the location. For example with the configuration below, I get the error message _"ERROR (Unspecified error, hr=EFAIL 0x80004005): Element location is mandatory and missing" without further information.

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="v0.0">
  <filesystem>
    <location shadows="yes">%SystemDrive%\</location>
    <ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
    <ntfs_find />
  </filesystem>

  <registry>
    <hive name="SOFTWARE">
      <ntfs_find name="SOFTWARE" />
      <registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth" /> 
    </hive>
  </registry>

  <object>
    <object_find type="Mutant" name="foo"/>
    <object_find type="File" name="foobar"/>
  </object>
</fastfind>

Another point just for your information, when I tried the dev branch and I needed to install VS the English language pack to build it (yes, my installation is in French :p).

Additional packages (*) will be modified to complete this operation.
Starting package 1/84: boost-vcpkg-helpers:x64-windows-static
Building package boost-vcpkg-helpers[core]:x64-windows-static...
Warning: The following VS instances are excluded because the English language pack is unavailable.
    C:\Program Files (x86)\Microsoft Visual Studio\2019\Community
    C:\Program Files (x86)\Microsoft Visual Studio\2019\Community
Please install the English language pack.
Could not locate a complete toolset.

Thank you, Sylvain.

jgautier-anssi commented 4 years ago

Hi Sylvain,

Glad to read the fix helps you locate XML errors more easily.

For the missing mandatory element, it is trickier as it is a config error and not an xml one. We will look into it at the next opportunity.

Thank you for the great feedback. Jean

sydurand commented 4 years ago

Thank you for the quick fix, I close the request.

Sylvain