Strange filename in output

kiddinn / log2timeline

Automatically exported from code.google.com/p/log2timeline

GNU General Public License v3.0

0 stars 3 forks source link

Strange filename in output #5

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Note: This is the first time I use log2timeline, so maybe I am running it with 
the wrong arguments or maybe I am expecting a wrong output.

Environment:
- Windows 7 64 bits
- Strawberry Perl 64 bits
- log2timeline 0.64

What I did:
- converted a raw disk image to virtual hard drive with VhdTool
- mounted the virtual disk on F:
- ran
      log2timeline.pl -m C: -r -f win7 -w bodyfile.csv -o csv F:

What I saw in the csv file, in the "filename" column:
      C:F:\Windows\System32\cmd.exe

What I would expect to see:
     C:\Windows\System32\cmd.exe

Cheers,

Antoine

Original issue reported on code.google.com by antoine....@gmail.com on 24 May 2012 at 5:38

GoogleCodeExporter commented 9 years ago

This is due to the fact that 
-m prepends what you say to the filename.

You are running it with F: as the first path, which makes the tool pre-pend c: 
in front of that.

Quick simple solution would be to:
F:
log2timeline.pl -m C: -r -f win7 -w c:\bodyfile.csv -p .

(forgot to run the -p option)

Original comment by ki...@kiddaland.net on 24 May 2012 at 6:13

Changed state: Done

GoogleCodeExporter commented 9 years ago

Issue 6 has been merged into this issue.

Original comment by ki...@kiddaland.net on 24 May 2012 at 6:15

GoogleCodeExporter commented 9 years ago

Ok I ran
F:
log2timeline.pl -m C: -r -f win7 -w c:\bodyfile.csv -p .

The filename column looks good know.

For "Log2t::input::sol", the desc column is like this:

LSO created -> File: C:/./Users/blah/AppData/Roaming/Macromedia/Flash 
Player/macromedia.com/support/flashplayer/sys/#foo.com/settings.sol and object 
name: foo.com/settings variable: {allow = (FALSE) }
w_lastauto -> File: C:/./Users/blah/AppData/Roaming/Macromedia/Flash 
Player/macromedia.com/support/flashplayer/sys/#foo.com/settings.sol and object 
name: foo.com/settings variable: {allow = (FALSE) }

there is an extra "/." in the file

For "Log2t::input::recycler", the desc column is like this:

C:/Users/blah/Temp/TCD127F.tmp <-./$Recycle.Bin/S-1-5-21-XXX-YYY/$IOT9GAR.tmp

i.e. C: is not prepended before /$Recycle.Bin

Original comment by antoine....@gmail.com on 25 May 2012 at 1:00

GoogleCodeExporter commented 9 years ago

this should be fixed by now 
(http://code.google.com/p/log2timeline/source/detail?r=bd9d33f84988704dcb058dff8
0ce0c2a0f9cfd5c)

Original comment by ki...@kiddaland.net on 28 May 2012 at 5:27