Python error while running "Essential" artifact group on Windows

[quack1]

While running fastir_artifacts.exe on a Windows 11 host, with the default configuration file fastir_artifacts.ini (include = Essentials), a Python error is triggered on fastir\common\filesystem.py.

Here is the complete Python backtrace:

> .\fastir_artifacts.exe
2023-02-14 13:52:33,119 - PROGRESS - Loading artifacts ...
2023-02-14 12:52:43,624 - PROGRESS - Collecting artifacts from 54 sources ...
Traceback (most recent call last):
  File "fastir_artifacts.py", line 134, in <module>
  File "fastir_artifacts.py", line 115, in main
  File "fastir\common\collector.py", line 52, in collect
  File "fastir\common\filesystem.py", line 322, in collect
  File "fastir\common\filesystem.py", line 72, in collect
  File "fastir\common\path_components.py", line 77, in _generate
  File "fastir\common\path_components.py", line 94, in _generate
  File "fastir\common\path_components.py", line 24, in get_path
  File "fastir\common\filesystem.py", line 182, in get_path
  File "fastir\common\filesystem.py", line 139, in list_directory
AttributeError: 'list' object has no attribute 'popleft'
[2996] Failed to execute script 'fastir_artifacts' due to unhandled exception!

After a few tests, everything works smooth if I replace the include in the .ini file with WindowsEssentials. If I set LinuxEssentials or DarwinEssentials, the error pops.

Is this a normal behavior (in this case I think the documentation might be updated to state this point), or does this need a patch ?

Thanks!

[asterictnl-lvdw]

Hey @quack1 ,

It's a bit hard to know how it works, but in the /share folder there is a file named sekoia.yaml which contains Essentials. It will then check what OS the system is running on to choose the right Essentials. For windows it would be WindowsEssentials, but it is also possible to choose a specific ARTIFACT_GROUP which is defined in the yaml file. For webbrowser.yaml for example you have BrowserCache, but if you do not have FireFox and InternetExplorer and just want to run ChromeCache you do not define BrowserCache, but ChromeCache instead.

If you try to run LinuxEssentials on a Windows OS it might not work. :)

Your best bet it to look at this documentation and to look at one of the yaml file that is pre-created to create your own Yaml file.

[quack1]

Hello @asterictnl-lvdw,

That's also my understanding of how FastIR works. I guess I was not very clear in my first message 😅

My point was that, when using Essentials, I guess FastIr should use WindowsEssentials. But on mine it throws an error, as if it was detecting my OS as Linux or Darwin, instead of Windows... Because, if I hard set WindowsEssentials, instead of just Essentials, it works fine

[asterictnl-lvdw]

@quack1 ,

That is indeed weird behavior. I have tried to reproduce it and I get the same error with normal Essentials. This could indeed by a problem with the script. When I change it to WindowsEssentials it does not give me any errors. I think the program tries to execute the Linux and Darwin essentials as well, but fails because the commands are not supported and throw an exception in a try & catch and breaks the program because not all things are executed.

But for now it is best if you execute an audit to use the OS specific artifacts on the OS.

@gaelmuller @ant1 @gregorygui if you can look into this that would be great.

[quack1]

I quickly looked up the code and the way FastIR identifies the OS is fine (I was guessing a bug with Windows 11, but my OS is well identified).

For now, I will stick with WindowsEssentials, it's not a big deal !

[gregorygui]

Hi,

New release fix this issue. Thanks for your contribution. The problem was not inside artifacts definition but in the method on list object. popleft has been removed and available in collection object. Even if there is a performance gap between popleft en pop(0), we choose to use the last one. I run fastir with this release on a Windows 10 x64 and it works well.

Give it a try and tell me if you encounter any issue.

[gregorygui]

No further issues with the implemented fix.