search

EricZimmerman / KapeFiles

This repository serves as a place for community created Targets and Modules for use with KAPE.
MIT License
652 stars 193 forks source link

NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes both msource AND local source data? #898

Open secure-cake opened 10 months ago

secure-cake commented 10 months ago

KAPE Version 1.3.0.2

I am collecting artifacts via Velociraptor Offline Collector, staging and processing them via KAPE on an "analysis" workstation. When I populate the artifacts on the C: volume (e.g. c:\cases\test-case\triage_data), then run the NirSoft BrowsingHistoryView or BrowserDownloadsView modules, output includes both the data in the mdest directory (my staged triage data) and data from the live, "analysis" workstation where I executed KAPE.

IMPORTANT NOTE: If I stage my triage collection on an alternate volume on my "analysis" workstation, eg d:\cases\test-case, and run same command as below, just changing the path to reflect the d: drive, results are expected, only including msource data.

Example Command: .\kape.exe --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui

"Browser Profile Path" results include both the mdest (c:\cases\test-case\triage_data\offline....) and local "c:\users\user\appdata\local\microsoft\edge..." paths.

image image

Console Log for BrowsingHistoryView example: 

[2024-01-04 10:03:38.4622603 | INF] KAPE directory: C:\tools\KAPE
[2024-01-04 10:03:38.4790135 | INF] Command line:   --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\ --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui 
[2024-01-04 10:03:38.4956785 | INF] System info: Machine name: WINDEV2311EVAL, 64-bit: true, User: User OS: "Windows10" (10.0.22621)
[2024-01-04 10:03:40.9384267 | INF] Using Module operations
[2024-01-04 10:03:40.9841873 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 10:03:40.9864295 | INF] Discovered 1 processor to run
[2024-01-04 10:03:40.9864295 | INF] Executing modules with file masks...
[2024-01-04 10:03:41.0026688 | INF] Executing remaining modules...
[2024-01-04 10:03:41.0026688 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma C:\cases\test-case\kape_nirsoft_output\WebBrowsers\BrowsingHistory.csv
[2024-01-04 10:03:41.0346128 | WRN]     Output file updated to C:\cases\test-case\kape_nirsoft_output\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 10:03:42.9003604 | INF] Executed 1 processor in 1.9440 seconds
[2024-01-04 10:03:42.9160727 | INF] Total execution time: 1.9662 seconds
AndrewRathbun commented 10 months ago

Very weird, are you using the latest version of the NirSoft binaries? I just did a test on my own system and it did not have any live data processed in the CSV. 

[2024-01-04 16:15:40.2657500 | INF] KAPE directory: E:\KAPE
[2024-01-04 16:15:40.2732603 | INF] Command line:   --msource E:\ToolOutput\browsingHistoryTest\tout\C --mdest E:\ToolOutput\browsingHistoryTest\mout --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui 
[2024-01-04 16:15:40.2747651 | INF] System info: Machine name: ANDREW-PERSONAL, 64-bit: true, User: Andrew Rathbun OS: "Windows10" (10.0.22635)
[2024-01-04 16:15:40.4055802 | DBG]   Validating configuration files
[2024-01-04 16:15:41.0894534 | DBG] 309 targets and 446 modules validated successfully
[2024-01-04 16:15:41.0904550 | INF] Using Module operations
[2024-01-04 16:15:41.0959451 | INF]   Module NirSoft_BrowsingHistoryView: Found 2 processors
[2024-01-04 16:15:41.0984553 | DBG]   NirSoft_BrowsingHistoryView (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1004567 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1035197 | INF]   Module NirSoft_WebBrowserDownloads: Found 1 processor
[2024-01-04 16:15:41.1035197 | DBG]   NirSoft_WebBrowserDownloads (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1045250 | INF]     Found processor Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1055248 | INF] Discovered 2 processors to run
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_BrowsingHistoryView, Processor: Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False  , Category: WebBrowsers , Export file: NirSoftBrowsingHistoryViewConsoleOutput.txt
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_WebBrowserDownloads, Processor: Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False  , Category: WebBrowsers 
[2024-01-04 16:15:41.1075232 | INF] Executing modules with file masks...
[2024-01-04 16:15:41.1085256 | INF] Executing remaining modules...
[2024-01-04 16:15:41.1095250 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder E:\ToolOutput\browsingHistoryTest\tout\C\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\BrowsingHistory.csv
[2024-01-04 16:15:41.1259448 | WRN]     Output file updated to E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 16:15:44.4232409 | WRN]   ** Cannot find executable BrowserDownloadsView.exe in directory E:\KAPE\Modules\NirSoft_WebBrowserDownloads or E:\KAPE\Modules\bin. Aborting execution and skipping any further modules using this executable
[2024-01-04 16:15:44.4262404 | INF] Executed 2 processors in 3.3334 seconds
[2024-01-04 16:15:44.4292400 | INF] Total execution time: 3.3391 seconds

Granted, I didn't test the BrowserDownloadsView portion, but I can if needed. Do we know if the screenshot you included is for BrowsingHistoryView or BrowserDownloadsView output?

secure-cake commented 10 months ago

Maybe it's just a perfect storm of "weirdness!" Is "E:\" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

EricZimmerman commented 10 months ago

nirsoft is probably following a symlink blindly

Eric Zimmerman 501-313-3778

------ Original Message ------ From "Secure Cake" @.> To "EricZimmerman/KapeFiles" @.> Cc "Subscribed" @.***> Date 1/4/2024 4:38:05 PM Subject Re: [EricZimmerman/KapeFiles] NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes bouth msource AND local source data? (Issue #898)

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

— Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/KapeFiles/issues/898#issuecomment-1877794827, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABARKJXHQUNDLCVGZU6U3HTYM4OL3AVCNFSM6AAAAABBNKTJO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZXG44TIOBSG4. You are receiving this because you are subscribed to this thread.Message ID: @.***>

AndrewRathbun commented 10 months ago

Maybe it's just a perfect storm of "weirdness!" Is "E:\" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

E is not my OS drive but that's good context to have. I can test that out next time I'm back at the keyboard. Definitely not a KAPE issue though but maybe there's something we can add in the Module to inform others about this.

secure-cake commented 10 months ago

Thank you, Andrew and Eric! As always, appreciate the prompt responses.

AndrewRathbun commented 10 months ago

@secure-cake I just tried the following:

.\kape.exe --msource C:\temp\browsingHistoryTest\tout\C --mdest C:\temp\browsingHistoryTest\mout --mflush --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui

and in the Source File column(s) for BrowsingHistoryView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

For the BrowserDownloadsView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default

Nothing from my live system so I'm not sure what's going on in your scenario...

secure-cake commented 10 months ago

Howdy, @AndrewRathbun and thank you for testing! So...if I stage triage data on the OS volume and their is a user profile on the local system named "User" (note that I don't have to be logged in as "User," the profile just has to exist), I can recreate the above weirdness (inclusion of local data). If I rename the "Users\User" profile folder to "Users\bob" for example, output is as expected.

Bottom line, I would never do either (stage data on OS volume or have a user account named "User") in production, but did for testing with a Win 11 Dev VM. I confess I panicked a bit that perhaps I'd polluted actual case data on a previous case based on this odd behavior, but seems like a VERY specific set of unusual circumstances.

Sorry for the chasing of wild geese!