WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.85k stars 260 forks source link

Output failed file? #39

Closed Kerokus closed 2 years ago

Kerokus commented 2 years ago

We pull event logs out of RAM for forensic analysis. This can lead to both complete and incomplete files, and when you have hundreds of event logs trying to figure out which ones are good and which ones are bad can be tedious. When Chainsaw hits an incomplete/corrupt file it stops the whole search with the message "an error occurred while trying to deserialize evtx stream". If there's 400 evtx logs and only 1 of them is bad, it will stop the whole search.

Is it possible to have it skip files it can't parse in order to complete the search? Or barring that can it at least output which file it hung up on so I can remove it from the directory?

fscc-jamesd commented 2 years ago

Hi @Kerokus

This is a good find, thanks for rasing this issue. I never considered the use case of needed to supported partially corrupted event logs, but your explanation makes sense. I'll look at adding this though a --skip-verify option or similar.

fscc-jamesd commented 2 years ago

Re-opened, closed it by mistake. I've got a fix on the way for this.

fscc-jamesd commented 2 years ago

@Kerokus This should be fixed in #44. Chainsaw will now output the name of the EVTX file that failed to parse. This PR also adds the --ignore-errors option to not stop chainsaw when it hits an evtx parsing error.