search

fox-it / dissect.target

The Dissect module tying all other Dissect modules together. It provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets).
GNU Affero General Public License v3.0
43 stars 44 forks source link

Decoding Issue with iexplore.downloads #729

Closed jd-gui closed 3 months ago

jd-gui commented 3 months ago

I was having a problem with the Python API at first but realized that the iexplore.downloads plugin function appears to fail on the command line and in Python. Any time I run it, I receive this error message:

$ target-query -f iexplore.downloads ../../[REDACTED]/ForensicImage/Forensic-Image-C/[REDACTED]-Image.E01
2024-06-20T23:06:07.141803Z [warning  ] <Target ../../[REDACTED]/ForensicImage/Forensic-Image-C/[REDACTED]-Image.E01>: Can't identify filesystem: <Volume name='Microsoft reserved partition' size=16776704 fs=None> [dissect.target.target]
Traceback (most recent call last):
  File "/home/[REDACTED]/.local/bin/target-query", line 8, in <module>
    sys.exit(main())
  File "/home/[REDACTED]/.local/lib/python3.10/site-packages/dissect/target/tools/utils.py", line 250, in wrapper
    return func(*args, **kwargs)
  File "/home/[REDACTED]/.local/lib/python3.10/site-packages/dissect/target/tools/query.py", line 338, in main
    raise e
  File "/home/[REDACTED]/.local/lib/python3.10/site-packages/dissect/target/tools/query.py", line 323, in main
    for record_entries in entry:
  File "/home/[REDACTED]/.local/lib/python3.10/site-packages/dissect/target/plugins/browsers/iexplore.py", line 195, in downloads
    response_headers = container_record.ResponseHeaders.decode("utf-16-le", errors="ignore")
AttributeError: 'NoneType' object has no attribute 'decode'

While the namespace plugin browser.downloads runs to completion on the command line, this error causes things to fail in the Python API. Is anyone else able to replicate, and are there any current workarounds? Thank you!

Miauwkeru commented 3 months ago

Thanks for mentioning this to us.

I haven't been able to replicate it yet, so could you tell me what version of dissect.target you have installed? (pip freeze will give you the version numbers)

jd-gui commented 3 months ago

Hi! Based on your feedback I did an uninstall and reinstall of all of the dissect packages and have not encountered the error. I think there might have been some confusion between my virtual environments and I was using an out-of-date dependency somewhere. Thank you for your help!