Problem with Log::input::symantec

[GoogleCodeExporter]

Note: This is the first time I use log2timeline, so maybe I am running it with 
the wrong arguments or maybe I am expecting a wrong output.

Environment:
- Windows 7 64 bits
- Strawberry Perl 64 bits
- log2timeline 0.64

What I did:
- converted a raw disk image to virtual hard drive with VhdTool
- mounted the virtual disk on F:
- ran
      log2timeline.pl -m C: -r -f win7 -w bodyfile.csv -o csv F:

What I saw in the csv file, in the "user" and "host" columns for 
log::input::symantec :
  I saw my name and the name of my computer (I am not investigating my computer,  I am investigating an image of another computer)

What I would expect to see:
  either nothing,  or the name of the computer investigated

Cheers,

Antoine

Original issue reported on code.google.com by antoine....@gmail.com on 24 May 2012 at 5:52

[GoogleCodeExporter]

A comment:  it looks like both the logs of the investigated host and the logs 
of my computer were parsed

Original comment by antoine....@gmail.com on 24 May 2012 at 6:09

[GoogleCodeExporter]

The hostname is read from the file itself, it should not be your computer name, 
but the name extracted from that file.

What was the filename in question, was the filename from your own C drive?

Original comment by ki...@kiddaland.net on 24 May 2012 at 6:18

• Changed state: Accepted

[GoogleCodeExporter]

I think I understand the problem:
"F:\Users\All Users" is a link to "C:\ProgramData"

the filenames I see in the timeline are:

C:F:\ProgramData\Symantec\Symantec Endpoint Protection\Logs\XXX.log
-> for these I have the right computer and user

C:F:\Users\All Users\Symantec\Symantec Endpoint Protection\Logs\XXX.log
-> for these I have my name and the name of mycomputer

Original comment by antoine....@gmail.com on 24 May 2012 at 6:57

[GoogleCodeExporter]

;)

then I guess the problem is solved ;)

Original comment by ki...@kiddaland.net on 24 May 2012 at 7:06

• Changed state: Done

[GoogleCodeExporter]

Well, I don't know if it is solved.  Why does it follow symlinks outside the 
drive?

Original comment by antoine....@gmail.com on 24 May 2012 at 7:14

[GoogleCodeExporter]

It looks like "-l" doesn't work to detect symbolic links for perl on Windows.
Here is something that may work:

require Win32::API;
use strict;
use warnings;
my $GetFileAttributes = new Win32::API('kernel32', 'GetFileAttributes', 'P', 
'N');
foreach my $file ('C:\Users\All Users', 'C:\ProgramData') {
    if ($GetFileAttributes->Call($file) & 0x400) #FILE_ATTRIBUTE_REPARSE_POINT
    {
        print "$file is a reparse point\n";
    }
    else
    {
        print "$file is not a reparse point\n" 
    }
}

->

C:\Users\All Users is a reparse point
C:\ProgramData is not a reparse point

Original comment by antoine....@gmail.com on 24 May 2012 at 8:36

[GoogleCodeExporter]

Sorry, that is true, the tool should not follow symlinks, and I did not know 
that "-l" was not successful in Windows....

I'm re-opening this one, and putting in a fix.

Original comment by ki...@kiddaland.net on 25 May 2012 at 4:18

• Changed state: Accepted

[GoogleCodeExporter]

Sorry, that is true, the tool should not follow symlinks, and I did not know 
that "-l" was not successful in Windows....

I'm re-opening this one, and putting in a fix.

Original comment by ki...@kiddaland.net on 25 May 2012 at 4:18

[GoogleCodeExporter]

Submitted a patch to the project: 
http://code.google.com/p/log2timeline/source/detail?r=17fab94cac5968221ef460265e
2b9fd4a330d508

Could you update the tool to the latest snapshot and test if this works 
successfully for you?

Original comment by ki...@kiddaland.net on 25 May 2012 at 4:38

• Changed state: Fixed

[GoogleCodeExporter]

This looks good now, thanks for the quick fix!

Original comment by antoine....@gmail.com on 25 May 2012 at 12:40