Can't take sysvol directory

[sorchaa]

Hello,

I try to take the sysvol directory from a windows 2012 Server and it doesn't work. I modified the fastir_artifacts.ini like that:

include = soso
sha256 = True

and adding a yaml file with the definitions of example file with two more definitions: ntds and sysvol. ntds directory works fine but no sysvol. My definition file:

# Custom artifacts.

name: WindowsALLEventLogs
doc: Windows XML Event Logs.
sources:
- type: FILE
  attributes:
    paths: ['%%environ_systemroot%%\System32\winevt\Logs\*.evtx']
    separator: '\'
labels: [Logs]
supported_os: [Windows]
---
name: soso
doc: Most important artifacts on Windows.
sources:
- type: ARTIFACT_GROUP
  attributes:
    names:
    # custom nico
    - 'WindowsComputerName'
    - 'WindowsCurrentVersion'
    - 'WindowsDomainName'
    - 'WindowsPersistenceMechanisms'
    - 'WindowsUpdateStatus'
    # AD
    - 'sysvol'
    - 'NTDS'
    # Registry hives`
...

the file for ntds which works:

name: NTDS
doc: |
  The NTFS $LogFile file system metadata file.

sources:
- type: FILE
  attributes:
    paths: ['%%environ_systemroot%%\ntds\*']
    separator: '\'
  supported_os: [Windows]
urls: ['https://sourceforge.net/projects/linux-ntfs/']
labels: [Users]
supported_os: [Windows]

and the file for sysvol which doens't work:

# NTFS specific artifacts.

name: sysvol
sources:
- type: FILE
  attributes:
    paths:
    - '%%environ_systemroot%%\SYSVOL\*'
    separator: '\'
labels: [System]
supported_os: [Windows]

When I execute fastir with these definiton files, I have file of NTDS directory but not of SYSVOL. I also tried with the sysvol\domain directory but not better.

I use the last release. I would like to congratulate you for this work,