rdump: Shellbags timestamps not parsed with --multi-timestamp

[l3fdb33f]

I noticed when working with the shellbags function in particular that sometimes the regf_modification_time timestamp does not get placed into the "ts" field after piping to rdump and using the --multi-timestamp option:

target-query -f shellbags SysInternalsCase.E01 | rdump --multi-timestamp
[reading from stdin]
2023-11-28T18:57:42.553407Z [error    ] Unable to import dissect.target.plugins.filesystem.yara [dissect.target.plugin]
2023-11-28T18:57:43.092907Z [warning  ] <Target SysInternalsCase.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=42947575808 vs=None> [dissect.target.target]
<windows/shellbag ts=None ts_description='creation_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=None ts_description='modification_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=None ts_description='access_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=2022-11-15 21:18:53.308392+00:00 ts_description='regf_modification_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>

This has unfortunate effects when seeking to select events using the r.ts field, as it is None. Here's the source data I'm using, as .jsonl: windows_shellbag.zip

Thanks in advance!

[yunzheng]

Hi l3fdb33f,

I'm not sure if I understand the issue, --multi-timestamp iterates over all datetime fields per record and duplicates this in the ts field, and ts_description is set to denote which field the ts is from.

In your example output you see the last timestamp is of the regf_modification_time, the first three records that have ts=None are of:

• creation_time
• modification_time
• access_time

However they are None in the original record, so ts is also None.

How are you selecting events? if you are using a rdump selector a common way to filter out None fields is to do something like this:

$ rdump windows_shellbag.jsonl --multi-timestamp -w - | rdump -s 'r.ts' -L

This ensures that only records that only "truthy" ts fields are selected, effectively discarding ts=None values.

[l3fdb33f]

Ah I see! This is my misunderstanding then; I didn't understand it was normal behavior for there to be events with timestamp None as a result of the process. I will filter these and it looks like no data is lost. Thank you!

[Schamper]

Do note that if you happen to come across a record with no timestamps at all (all None) you will lose all reference to that data!