search

DFIRKuiper / Hoarder

16 stars 4 forks source link

Hoarder not extracting Disk C:\ Information #1

Open AxelPotato opened 3 years ago

AxelPotato commented 3 years ago

I have 2 hard drives on a machine and I run Hoarder -a for a test I was doing. I get information about the NTFS of Disk D:\ which is empty but for some reason it can't parse my disk C:\ This is taken from a live machine. The disk is not corrupted in any way. Kape doesn't seem to have a problem with collecting information from the same machine.

Following is the log output:

2021-09-22 09:37:20.438792 - INFO:Hoarder Started...
2021-09-22 09:37:20.438792 - INFO:Output file: D:\BS-PTLR0BRTCM.zip
2021-09-22 09:37:20.438792 - INFO:Hostname: BS-PTLR0BRTCM
2021-09-22 09:37:20.438792 - INFO:Arch: win32
2021-09-22 09:37:20.438792 - INFO:Parse level 0 - No parsing
2021-09-22 09:37:20.454417 - INFO:Check drive: \\.\PhysicalDrive0
2021-09-22 09:37:20.454417 - INFO:Check partition: descSafety Table, offset0, size:1
2021-09-22 09:37:20.470039 - INFO:Check partition: descUnallocated, offset0, size:2048
2021-09-22 09:37:20.476546 - INFO:Check partition: descGPT Header, offset1, size:1
2021-09-22 09:37:20.492204 - INFO:Check partition: descPartition Table, offset2, size:32
2021-09-22 09:37:20.492204 - INFO:Check partition: descEFI system partition, offset2048, size:532480
2021-09-22 09:37:20.507832 - INFO:Check partition: descMicrosoft reserved partition, offset534528, size:32768
2021-09-22 09:37:20.523431 - INFO:Check partition: descBasic data partition, offset567296, size:997597184
2021-09-22 09:37:20.539056 - INFO:Check partition: descUnallocated, offset998164480, size:2048
2021-09-22 09:37:20.554680 - INFO:Check partition: descBasic data partition, offset998166528, size:2048000
2021-09-22 09:37:20.554680 - INFO:Check partition: descUnallocated, offset1000214528, size:688
2021-09-22 09:37:20.576816 - INFO:Found [1] NTFS partitions on drive [PhysicalDrive0] 
2021-09-22 09:37:20.576816 - INFO:Check drive: \\.\PhysicalDrive1
2021-09-22 09:37:20.576816 - INFO:Check partition: descSafety Table, offset0, size:1
2021-09-22 09:37:20.639327 - INFO:Check partition: descUnallocated, offset0, size:34
2021-09-22 09:37:20.708341 - INFO:Check partition: descGPT Header, offset1, size:1
2021-09-22 09:37:20.770841 - INFO:Check partition: descPartition Table, offset2, size:32
2021-09-22 09:37:20.825481 - INFO:Check partition: descMicrosoft reserved partition, offset34, size:262144
2021-09-22 09:37:20.892993 - INFO:Check partition: descUnallocated, offset262178, size:2014
2021-09-22 09:37:20.955493 - INFO:Check partition: descBasic data partition, offset264192, size:976506880
2021-09-22 09:37:21.024547 - INFO:Check partition: descUnallocated, offset976771072, size:2096
2021-09-22 09:37:21.077927 - WARNING:No NTFS Partition found on PhyisicalDrive1
2021-09-22 09:37:21.077927 - INFO:Check drive: \\.\PhysicalDrive2
2021-09-22 09:37:21.077927 - WARNING:There is no \\.\PhysicalDrive2
2021-09-22 09:37:21.093561 - INFO:Enabed Artifacts: 22
2021-09-22 09:37:21.093561 - DEBUG:Artifact: CCM    Path: /syswow64/ccm/logs/**,    Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: CCM    Path: /Windows/ccm/logs/**,     Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BrowserHistory Path: /Users/*/AppData/Roaming/Google/Chrome/User Data/Default/,    Files: ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BrowserHistory Path: /Users/*/AppData/local/Google/Chrome/User Data/Default/,  Files: ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BrowserHistory Path: /Users/*/AppData/Local/Microsoft/Windows/INetCookies/,    Files: ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BrowserHistory Path: /Users/*/AppData/Local/Microsoft/Windows/WebCache/,   Files: ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BrowserHistory Path: /Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/,   Files: ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: applications   Path: /Windows/AppCompat/Programs/**,   Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: SRUM   Path: /Windows/System32/SRU/**,     Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: RecycleBin Path: /$Recycle.Bin/**,     Files: ['$I*']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: scheduled_task Path: /Windows/System32/Tasks/**,   Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: scheduled_task Path: /Windows/SysWOW64/Tasks/**,   Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BitsAdmin  Path: /ProgramData/Microsoft/Network/Downloader/**,     Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: usrclass   Path: /Users/*/AppData/Local/Microsoft/Windows/,    Files: ['UsrClass.dat']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Recent Path: /Users/*/AppData/Roaming/Microsoft/Windows/Recent/**,     Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Firwall    Path: /Windows/System32/LogFiles/Firewall/**,   Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: prefetch   Path: /Windows/prefetch/,   Files: ['*.pf']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: WERFiles   Path: /ProgramData/Microsoft/Windows/WER/ReportArchive/**,  Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Ntfs   Path: /,    Files: ['$MFT', '$MFTMirr', '$LogFile']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: BMC    Path: /Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/,   Files: ['*.bmc']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: WMITraceLogs   Path: /Windows/System32/LogFiles/WMI/**,    Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: WindowsIndexSearch Path: /programdata/microsoft/search/data/applications/windows/,     Files: ['Windows.edb']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Events Path: /windows/system32/winevt/Logs/,   Files: ['*']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: PowerShellHistory  Path: /Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/,    Files: ['ConsoleHost_history.txt']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Ntuser Path: /Users/*/,    Files: ['NTUSER.DAT*']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: WMI    Path: /Windows/System32/wbem/Repository/,   Files: ['OBJECTS.DATA']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: WMI    Path: /Windows/System32/wbem/Repository/FS/,    Files: ['OBJECTS.DATA']
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Startup    Path: /Windows/System32/WDI/LogFiles/StartupInfo/**,    Files: []
2021-09-22 09:37:21.093561 - DEBUG:Artifact: Config Path: /Windows/System32/config/,    Files: ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']
2021-09-22 09:37:21.093561 - INFO:Read drive [PhysicalDrive0]
2021-09-22 09:37:21.093561 - INFO:Start Extracting Volume #0 Files
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.093561 - DEBUG:Entries: {'syswow64': [{'path': '/syswow64/ccm/logs/**', 'artifact': 'CCM', 'files': []}], 'Windows': [{'path': '/Windows/ccm/logs/**', 'artifact': 'CCM', 'files': []}, {'path': '/Windows/AppCompat/Programs/**', 'artifact': 'applications', 'files': []}, {'path': '/Windows/System32/SRU/**', 'artifact': 'SRUM', 'files': []}, {'path': '/Windows/System32/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/SysWOW64/Tasks/**', 'artifact': 'scheduled_task', 'files': []}, {'path': '/Windows/System32/LogFiles/Firewall/**', 'artifact': 'Firwall', 'files': []}, {'path': '/Windows/prefetch/', 'artifact': 'prefetch', 'files': ['*.pf']}, {'path': '/Windows/System32/LogFiles/WMI/**', 'artifact': 'WMITraceLogs', 'files': []}, {'path': '/Windows/System32/wbem/Repository/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/wbem/Repository/FS/', 'artifact': 'WMI', 'files': ['OBJECTS.DATA']}, {'path': '/Windows/System32/WDI/LogFiles/StartupInfo/**', 'artifact': 'Startup', 'files': []}, {'path': '/Windows/System32/config/', 'artifact': 'Config', 'files': ['DEFAULT*', 'SAM*', 'SECURITY*', 'SOFTWARE*', 'SYSTEM*', 'DRIVERS', 'BBI', 'ELAM', 'COMPONENTS']}], 'Users': [{'path': '/Users/*/AppData/Roaming/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/local/Google/Chrome/User Data/Default/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/INetCookies/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/WebCache/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/', 'artifact': 'BrowserHistory', 'files': ['History*', 'Cache', 'Cookies', 'WebCacheV01.dat', 'places.sqlite', 'cookies.sqlite']}, {'path': '/Users/*/AppData/Local/Microsoft/Windows/', 'artifact': 'usrclass', 'files': ['UsrClass.dat']}, {'path': '/Users/*/AppData/Roaming/Microsoft/Windows/Recent/**', 'artifact': 'Recent', 'files': []}, {'path': '/Users/*/AppData/Local/Microsoft/Terminal Server Client/Cache/', 'artifact': 'BMC', 'files': ['*.bmc']}, {'path': '/Users/*/Appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/', 'artifact': 'PowerShellHistory', 'files': ['ConsoleHost_history.txt']}, {'path': '/Users/*/', 'artifact': 'Ntuser', 'files': ['NTUSER.DAT*']}], '$Recycle.Bin': [{'path': '/$Recycle.Bin/**', 'artifact': 'RecycleBin', 'files': ['$I*']}], 'ProgramData': [{'path': '/ProgramData/Microsoft/Network/Downloader/**', 'artifact': 'BitsAdmin', 'files': []}, {'path': '/ProgramData/Microsoft/Windows/WER/ReportArchive/**', 'artifact': 'WERFiles', 'files': []}], '': [{'path': '/', 'artifact': 'Ntfs', 'files': ['$MFT', '$MFTMirr', '$LogFile']}], 'programdata': [{'path': '/programdata/microsoft/search/data/applications/windows/', 'artifact': 'WindowsIndexSearch', 'files': ['Windows.edb']}], 'windows': [{'path': '/windows/system32/winevt/Logs/', 'artifact': 'Events', 'files': ['*']}]}
2021-09-22 09:37:21.109186 - INFO:-----found file type 5    /$LogFile 
2021-09-22 09:37:21.124810 - INFO:-----found file type 5    /$MFT 
2021-09-22 09:37:21.140436 - INFO:-----found file type 5    /$MFTMirr 
2021-09-22 09:37:21.140436 - DEBUG:Entry '$RECYCLE.BIN' match '$Recycle.Bin' folder, Jumping inside the directory
2021-09-22 09:37:21.140436 - DEBUG:Recursive mode enabled 
2021-09-22 09:37:21.140436 - DEBUG:Entries: {'**': [{'path': '/$RECYCLE.BIN/**', 'artifact': 'RecycleBin', 'files': ['$I*']}]}
2021-09-22 09:37:21.140436 - DEBUG:Recursive enabled,  jumping inside the directory 'S-1-5-21-3375482240-3257499396-3901873743-500'
2021-09-22 09:37:21.140436 - DEBUG:Entries: {'': [{'path': '/$RECYCLE.BIN/S-1-5-21-3375482240-3257499396-3901873743-500', 'artifact': 'RecycleBin', 'files': ['$I*']}]}
2021-09-22 09:37:21.140436 - DEBUG:Folder '/$RECYCLE.BIN/S-1-5-21-3375482240-3257499396-3901873743-500/' scanning done...
2021-09-22 09:37:21.140436 - DEBUG:Folder '/$RECYCLE.BIN/' scanning done...
2021-09-22 09:37:21.140436 - DEBUG:Folder '/' scanning done...
2021-09-22 09:37:21.140436 - INFO:Read drive [PhysicalDrive1]
2021-09-22 09:37:21.156092 - DEBUG:No parsing specified
2021-09-22 09:37:21.156092 - INFO:Enabled Commands: 1
2021-09-22 09:37:21.156092 - INFO:Command: systeminfo
2021-09-22 09:37:22.999062 - INFO:Plugin [processes] Started...
2021-09-22 09:37:23.384460 - ERR:Exception: RunPlugins 
Traceback (most recent call last):
  File "hoarder.py", line 411, in __init__
  File "hoarder.py", line 673, in RunPlugins
  File "hoarder.py", line 661, in RunPlugins
  File "hoarder.py", line 198, in ProcessList
  File "hoarder.py", line 134, in ProcessList
  File "psutil\__init__.py", line 542, in as_dict
  File "psutil\__init__.py", line 732, in cwd
  File "psutil\_pswindows.py", line 681, in wrapper
  File "psutil\_pswindows.py", line 671, in convert_oserror
  File "psutil\_pswindows.py", line 679, in wrapper
  File "psutil\_pswindows.py", line 695, in wrapper
  File "psutil\_pswindows.py", line 981, in cwd
OSError: [WinError 998] Invalid access to memory location

2021-09-22 09:37:23.384460 - INFO:Hoarder Done!
AxelPotato commented 3 years ago

Hi we have done a bit of research and found that the python library used by the project does not support Bitlocker encrypted drives.

This can be seen in this Plaso issue: https://github.com/log2timeline/plaso/issues/2644