srum_dump_csv crashes with error

[johnmccash]

I get the following error when running srum_dump_csv:

C:\Software\srum-dump>srum_dump_csv What is the path to the SRUDB.DAT file? (Ex: \image-mount-point\Windows\system32\sru\srudb.dat) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\sru\SRUDB.dat What XLS Template should I use? (Press enter for the default SRUM_TEMPLATE.XLSX) : What is the full path of the SOFTWARE registry hive? Usually \image-mount-point\Windows\System32\config\SOFTWARE (or press enter to skip Network resolution) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\config\SOFTWARE

Creating CSV for Network Usage While you wait, did you know ... Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Finished processing Network Usage. Writing Output File.

Creating CSV for Application Resource Usage While you wait, did you know ... To learn how SRUM and other artifacts can enhance your forensics investigations check out SANS Windows Forensics FOR500/408

Finished processing Application Resource Usage. Writing Output File.

Creating CSV for Network Connections While you wait, did you know ... This program uses the function BinarySIDtoStringSID from the GRR code base to convert binary data into a user SID and relies heavily on the CoreSecurity Impacket ESE module. This works because of them. Check them out!

Finished processing Network Connections. Writing Output File.

Creating CSV for Push Notification Data While you wait, did you know ... Yogesh Khatri's paper at https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf was essential in the creation of this tool.

Finished processing Push Notification Data. Writing Output File.

Creating CSV for Energy Usage (Long Term) While you wait, did you know ... By modifying the template file you have control of what ends up in the analyzed results. Try creating an alternate template and passing it with the --XLSX_TEMPLATE option.

Finished processing Energy Usage (Long Term). Writing Output File.

Creating CSV for Energy Usage While you wait, did you know ... This program was written by Twitter:@markbaggett and @donaldjwilliam5 because @ovie said so.

Finished processing Energy Usage. Writing Output File.

Creating CSV for Undocumented Windows 10 Table While you wait, did you know ... Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Traceback (most recent call last): File "srum_dump_csv.py", line 385, in for ese_row in ese_getnextrow(ese_table): File "srum_dump_csv.py", line 94, in ese_getnextrow current_row[reverse_column_lookup[each_column]] = smart_retrieve(ese_table, ese_row_num, each_column) File "srum_dump_csv.py", line 104, in smart_retrieve col_data = "" if not col_data else col_data.encode("HEX") AttributeError: 'bytes' object has no attribute 'encode' [13228] Failed to execute script srum_dump_csv

C:\Software\srum-dump>

Do you need a copy of the test DB & Software hive, or is the error sufficint?

Thanks John

[MarkBaggett]

No. I know exactly where the error is. Thanks so much for reporting this. Sorry for the inconvenience. I’ll get this fixed.

Mark

On Jul 22, 2019, at 9:26 AM, johnmccash notifications@github.com wrote:

I get the following error when running srum_dump_csv:

C:\Software\srum-dump>srum_dump_csv What is the path to the SRUDB.DAT file? (Ex: \image-mount-point\Windows\system32\sru\srudb.dat) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\sru\SRUDB.dat What XLS Template should I use? (Press enter for the default SRUM_TEMPLATE.XLSX) : What is the full path of the SOFTWARE registry hive? Usually \image-mount-point\Windows\System32\config\SOFTWARE (or press enter to skip Network resolution) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\config\SOFTWARE

Creating CSV for Network Usage While you wait, did you know ... Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Finished processing Network Usage. Writing Output File.

Creating CSV for Application Resource Usage While you wait, did you know ... To learn how SRUM and other artifacts can enhance your forensics investigations check out SANS Windows Forensics FOR500/408

Finished processing Application Resource Usage. Writing Output File.

Creating CSV for Network Connections While you wait, did you know ... This program uses the function BinarySIDtoStringSID from the GRR code base to convert binary data into a user SID and relies heavily on the CoreSecurity Impacket ESE module. This works because of them. Check them out!

Finished processing Network Connections. Writing Output File.

Creating CSV for Push Notification Data While you wait, did you know ... Yogesh Khatri's paper at https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf was essential in the creation of this tool.

Finished processing Push Notification Data. Writing Output File.

Creating CSV for Energy Usage (Long Term) While you wait, did you know ... By modifying the template file you have control of what ends up in the analyzed results. Try creating an alternate template and passing it with the --XLSX_TEMPLATE option.

Finished processing Energy Usage (Long Term). Writing Output File.

Creating CSV for Energy Usage While you wait, did you know ... This program was written by Twitter:@MarkBaggett and @donaldjwilliam5 because @ovie said so.

Finished processing Energy Usage. Writing Output File.

Creating CSV for Undocumented Windows 10 Table While you wait, did you know ... Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Traceback (most recent call last): File "srum_dump_csv.py", line 385, in for ese_row in ese_getnextrow(ese_table): File "srum_dump_csv.py", line 94, in ese_getnextrow current_row[reverse_column_lookup[each_column]] = smart_retrieve(ese_table, ese_row_num, each_column) File "srum_dump_csv.py", line 104, in smart_retrieve col_data = "" if not col_data else col_data.encode("HEX") AttributeError: 'bytes' object has no attribute 'encode' [13228] Failed to execute script srum_dump_csv

C:\Software\srum-dump>

Do you need a copy of the test DB & Software hive, or is the error sufficint?

Thanks John

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[MarkBaggett]

Hey @johnmccash. I fixed this and some other issues in srum_dump 2.0. Its in beta right now. I would appreciate it if you would be so kind as to test it with the new version to see if it resolves the error.

https://github.com/MarkBaggett/srum-dump/tree/srum_dump2

[johnmccash]

NTAC:3NS-20 Mark, Apologies, but I've been travelling a lot for work lately, and my summer has been really crazy. I promise to get to this sometime in the next couple of weeks. John

From: MarkBaggett [mailto:notifications@github.com] Sent: Thursday, August 15, 2019 12:29 PM To: MarkBaggett/srum-dump Cc: John Mccash; Mention Subject: [EXT] Re: [MarkBaggett/srum-dump] srum_dump_csv crashes with error (#19)

This email originated from outside the organization. Do not click links or open attachments unless you have verified this email is legitimate.

Hey @johnmccashhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_johnmccash&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=kA5zYW3Ly5j9iOkFJ3A2S5RTvD-wzijLBhpGgUkOzSo&e=. I fixed this and some other issues in srum_dump 2.0. Its in beta right now. I would appreciate it if you would be so kind as to test it with the new version to see if it resolves the error.

https://github.com/MarkBaggett/srum-dump/tree/srum_dump2https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MarkBaggett_srum-2Ddump_tree_srum-5Fdump2&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=AdSkgsg5FGGCO6j4l8He-1rHJn9-C81Zybyft_9WjB8&e=

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MarkBaggett_srum-2Ddump_issues_19-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAAVW6VD6JNSA54P23NWTJLDQEWG4JA5CNFSM4IFYTKZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4MOQZQ-23issuecomment-2D521726054&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=NO5y6tzaZmi6YPWWJLkNtu7wPvoto10Ktd7voMvv8O4&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AAVW6VGR4F46NQNEA7CZQRDQEWG4JANCNFSM4IFYTKZA&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=dVQnslq0jeRKZjV5N8DcCuSNpNpUEseOqBfGEjL_SyM&e=.

[MarkBaggett]

No Problem. Safe travels. I appreciate you testing it out.

On Thu, Sep 5, 2019 at 8:43 AM johnmccash notifications@github.com wrote:

NTAC:3NS-20 Mark, Apologies, but I've been travelling a lot for work lately, and my summer has been really crazy. I promise to get to this sometime in the next couple of weeks. John

From: MarkBaggett [mailto:notifications@github.com] Sent: Thursday, August 15, 2019 12:29 PM To: MarkBaggett/srum-dump Cc: John Mccash; Mention Subject: [EXT] Re: [MarkBaggett/srum-dump] srum_dump_csv crashes with error (#19)

This email originated from outside the organization. Do not click links or open attachments unless you have verified this email is legitimate.

Hey @johnmccash< https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_johnmccash&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=kA5zYW3Ly5j9iOkFJ3A2S5RTvD-wzijLBhpGgUkOzSo&e=>. I fixed this and some other issues in srum_dump 2.0. Its in beta right now. I would appreciate it if you would be so kind as to test it with the new version to see if it resolves the error.

https://github.com/MarkBaggett/srum-dump/tree/srum_dump2< https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MarkBaggett_srum-2Ddump_tree_srum-5Fdump2&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=AdSkgsg5FGGCO6j4l8He-1rHJn9-C81Zybyft_9WjB8&e=

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub< https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MarkBaggett_srum-2Ddump_issues_19-3Femail-5Fsource-3Dnotifications-26email-5Ftoken-3DAAVW6VD6JNSA54P23NWTJLDQEWG4JA5CNFSM4IFYTKZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4MOQZQ-23issuecomment-2D521726054&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=NO5y6tzaZmi6YPWWJLkNtu7wPvoto10Ktd7voMvv8O4&e=>, or mute the thread< https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AAVW6VGR4F46NQNEA7CZQRDQEWG4JANCNFSM4IFYTKZA&d=DwMCaQ&c=K5gMqH44tVpW9Mb7NvpzqAFAhrpSdUITR819D8huNsU&r=sJCE6izyLG2FavzcHWpZ_Q&m=f3prvfdJ1VbrWQSJZO-VAvvnVVYZsS2L77pf0bcxCxI&s=dVQnslq0jeRKZjV5N8DcCuSNpNpUEseOqBfGEjL_SyM&e=

.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/19?email_source=notifications&email_token=AAFVSDPZ4XF63ND2GC7BFKLQID5GHA5CNFSM4IFYTKZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD566SBQ#issuecomment-528345350, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFVSDK5MYUMTZA5BCRXIULQID5GHANCNFSM4IFYTKZA .

[MarkBaggett]

Fixed in GUI for 2.0. Additionally I split the GUI-> XLSX version and the CLI->CSV into two separate prpjects. All commandline functionality (srum_dump_csv) has been moved to https://github.com/MarkBaggett/ese-analyst