search

DFIRKuiper / Kuiper

Digital Forensics Investigation Platform
735 stars 110 forks source link

ZIP files generated in Windows (e.g. 7-zip) are not processed properly #110

Open pisaura opened 10 months ago

pisaura commented 10 months ago

Describe the bug When providing a ZIP file compressed with 7-zip (under Windows) many parsers don't work (no error provided). Example: events parser.

In Kuiper.log: _"2023-08-10 09:03:26.977887","[DEBUG]","parser_management.py.specify_files_to_be_parser[Lin.75]","parser","Start parsing: case[deschd_case] - machine[deschd_case_test_7zip_gui] - Parsers[Events]","" "2023-08-10 09:03:26.996533","[INFO]","parser_management.py.run_parsers[Lin.765]","parser","Done processing the task case[deschd_case] - machine[deschd_case_test_7zipgui] - Parsers[Events]",""

Windows Events are included in the ZIP file for sure. Sources are collected by KAPE (target !SANS_Triage). When only zipping Windows events (as target in KAPE) or out of the provided structure from !SANS_Triage the events are processed. Again the ZIP file is created with 7-zip in Windows. When zipping the files in Linux the parsers seem to work fine (also with the whole collection of !SANS_Triage).

There is no error within the files list of the machine - just "No data available in table".

To Reproduce Steps to reproduce the behavior:

  1. Collect target !SANS_Triage with KAPE (v1.3.0.2).
  2. Create ZIP file with 7-zip (or even Windows Explorer) with or without compression.
  3. Upload ZIP to Kuiper.
  4. Start Events parser.

Expected behavior ZIP files created in Windows (e.g. with 7-zip or Windows Explorer) should be processed properly.

Desktop (please complete the following information):

Additional context Why are the ZIP files created in Windows not processed correctly while ZIPs created in Linux are? How can I create ZIP files in Windows to work properly with kuiper? (Because the ZIP files created with KAPE cannot be extracted (see issues https://github.com/DFIRKuiper/Kuiper/issues/12, https://github.com/DFIRKuiper/Kuiper/issues/33 and https://github.com/DFIRKuiper/Kuiper/issues/109) I want to automate the zipping process in Windows before uploading the files to Kuiper.)

salehmuhaysin commented 7 months ago

hello python ZipFile has some limitation on the compression methods for zip, i added support to decompress using 7z if ZipFile failed, after update i tried with windows Sent to -> Compressed (zipped) folder, 7-Zip -> Add to "folder.zip", and 7-Zip -> Add to archive -> compression level 9 all worked, please check with the new update 2.3.5