Evidence and Pictures are Not in the Report

[BetaMaxHeadroom]

Hi,

Thank you for making this tool. I am impressed.

However, I have an issue. None of the reports that I generate seem to automatically add the picture evidence to the report. I don't doubt that this is a self-inflicted issue. I just don't fully understand how to resolve it. I read the wiki. But, I'm missing something somewhere. Are there any walkthroughs that aren't on the wiki that I can look at?

[chrismaddalena]

It depends on the type of report. PowerPoint and Word reports will include evidence files. Evidence files will be inserted only where you add the placeholder text for the associated image or text file. While editing a finding, look at the Keyword Reference & Instructions section at the top of the page for more information.

if you are editing a finding, you can click the Upload Evidence button to attach a file. Once uploaded, the placeholder is automatically inserted.

You can also type @ to engage autocomplete. As you begin to type {{ you will see a list of available placeholders for that finding.

Allowed image extensions: png, jpeg, and jpg Allowed text extensions: txt, ps1, py, md, and log

If the file extension is supported, Ghostwriter will replace the placeholder text with the evidence file.

If evidence is not appearing, the placeholder may be missing, does not match the "friendly name" of an attached file, or may reference an unsupported file type.

In a PowerPoint deck, only evidence in the Description field will be included.

[g3ksmithington]

I'm going to echo OP here. I got the latest Ghostwriter up and running 3 weeks ago and I'm having a difficult time with evidence embedding in the draft report while writing a report. If I follow the WISYWIG editor to upload and insert evidence only the first evidence file is displayed in the draft report. It's not a huge deal as I can manually add in that evidence when we generate the final report, but it would be nice to figure out how to make sure that feature works in the future.

Here is how it's formatted in the finding:

There are some extra returns at the end of the image in the report, but other screenshots besides the first one (had to censor the data):

Additionally, if I add evidence from the Attached Findings page and manually add the placeholder into the WISYWIG, it doesn't appear in the draft report.

edit: as a test to see if it was field dependent I uploaded and inserted evidence to different fields in the report besides the Impact field, but that also didn't work. It seems we only get one piece of evidence per finding on a report.

edit2: to pile on more, I downloaded a powerpoint report and it looks like I got a template document rather than a report:

last edit I swear: Adding evidence to another finding in the report doesn't work either. I still only get the one screenshot from the first finding in the draft report.

[chrismaddalena]

@g3ksmithington What type of images are these? PNGs?

Also, you are uploading these files all through the modal window (i.e., by clicking Upload Evidence in the WYSIWYG)?

If you view these files (click the evidence from the report's details page), is a file displayed?

The empty lines suggest the Evidence entry is created and the report engine can find it. A missing file would raise a FileNotFoundError and Ghostwriter will halt generation to make you aware something is wrong. However, if the file is created but is empty or an unsupported filetype the report generation would just skip the file.

Regarding the PowerPoint, you have it open in Master Slide view. There should be a button at the top that says "Close Master" to exit that view and open the slides.

[chrismaddalena]

Quick update: we've been making changes to these functions for an upcoming release, so I did some testing with a bunch of image files. I successfully inserted several images in series and they all appeared in the report. I am using a modified code base, but we have not changed anything that should impact evidence uploading or rendering.

There was an issue with some "friendly names" that led to evidence files being skipped. We fixed that in the 15 June 2020 release, but you might not have that. The issue involved evidence files names with periods. The reporting engine strips the {{. from the lines to get the name. The old code removed each character individually with replace(), so it would replace . with nothing and end up skipping evidence with periods in the name.

If the missing files have names like something.log, try removing the period. The solution is updating, but that would work around the issue until you can update.

[BetaMaxHeadroom]

I don't know if this could ever be an option. But, if evidence can be added in a similar way that PwnDoc (https://github.com/pwndoc/pwndoc) implements it, that would be really helpful. Some pictures work for me. But, I'm not exactly certain why some do not.

[chrismaddalena]

@BetaMaxHeadroom Could you explain? Ghostwriter adds images as inline shapes, which is how Word handles images.

[andrewchiles]

Update: We recently found an issue where supported image extension comparisons were case sensitive and thus if you had an image with a PNG extension it wouldn't end up in the report because the comparison was looking for png, jpg, jpeg, etc. It wasn't lowercasing all extensions before the comparison. This will be fixed in Master when the next GW release is pushed to GitHub. Current estimate is end of Q1 2021

[chrismaddalena]

The above-mentioned issue is resolved with the latest release: https://github.com/GhostManager/Ghostwriter/releases/tag/v2.1

[gmcblg]

Update: We recently found an issue where supported image extension comparisons were case sensitive and thus if you had an image with a PNG extension it wouldn't end up in the report because the comparison was looking for png, jpg, jpeg, etc. It wasn't lowercasing all extensions before the comparison. This will be fixed in Master when the next GW release is pushed to GitHub. Current estimate is end of Q1 2021

Not sure if there's been a regression re: file extension case sensitivity since the v2.1 release, but this behaviour (capitalised PNG/JPG extensions rendering in evidence import but not being exported to the final docx) was reproducible on Ghostwriter v3.0.5. For context, was using Windows' Snipping Tool > save image > defaults to capital extensions.

[chrismaddalena]

@gmcblg I'm not sure what happened. It looks like the change I made to address that never merged with that release and it went unnoticed for over a year. The Windows Snipping tool is the only tool I've seen that routinely saves files with all uppercase extensions, so there might be a lower chance of someone encountering the issue and reporting it.

I'm including a fix with a minor release today. Thanks for letting me know about it.