WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
GNU General Public License v3.0
2.85k stars 260 forks source link

--json not outputting correctly with search #61

Closed CyberAustin closed 2 years ago

CyberAustin commented 2 years ago

The JSON output for "search" puts a [] around the JSON data and introduces other formatting errors.

From Firefox: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data. Even if I remove the []'s, I still get that.

Get-Content -Raw .\output.json | ConvertFrom-Json returns blank data as well.

This is chainsaw version 1.1.5 on Windows 10.

fscc-alexkornitzer commented 2 years ago

Hi @CyberAustin,

I am unable to replicate this without more information, if you are able to provide it that would be great. With the example test samples search is correctly outputting JSON, an example command is this:

./chainsaw search evtx_attack_samples -i -s bypass -j

CyberAustin commented 2 years ago

Yeah, I'm trying to find some sample data that I can duplicate it on that I can also release. I can summarize a bit though. First, the JSON is surrounded by []. Second, it almost looks like some ASCII characters were replaced by similar looking Unicode characters. I'll keep trying to reproduce though.

alexkornitzer commented 2 years ago

Please, that would be a great help. The [] is expected because it is returning an array of results even if there is only one hit.

It probably is due to some odd edge case in an event log you have so tracking down the issue would be great if you can manage to isolate an example.

alexkornitzer commented 2 years ago

Right have finally worked this one out, it looks like Powershell is messing with the encoding. The current work around is to use --output rather than file redirection. Once we work out what Powershell is doing then we might be able to fix it.