search

libyal / libevtx

Library and tools to access the Windows XML Event Log (EVTX) format
GNU Lesser General Public License v3.0
190 stars 49 forks source link

pyevtx: unsupported security identifier contains more than 10 sub authoritites #5

Closed forensicmatt closed 8 years ago

forensicmatt commented 8 years ago

I am getting the following error within strings inside the record class (record.strings). object[1] failed - <type 'exceptions.IOError'>: pyevtx_record_get_string_by_index: unable to retrieve string: 1 size. libfwnt_security_identifier_copy_from_byte_stream: unsupported security identifier contains more than 10 sub authoritites. This prevents record.xml_string from being generated it would appear.

Here is an example file, script, and output from evtxexport.exe: EVTX file: https://www.dropbox.com/s/1j5e6qnrs45di1u/Archive-Security-2013-10-01-20-02-28-916.evtx?dl=0

Here is example script:

import sys
import pyevtx

#Filename
filename = sys.argv[1]

#Record Index
index = int(sys.argv[2])

#Open pyevtx file
evtxfile = pyevtx.file()
evtxfile.open(filename)

#Get record by index
record = evtxfile.get_record(index)

#print record id#
print 'EventRecordID: {}'.format(record.identifier)

#print xml string#
print 'XML String: {}'.format(record.xml_string)

#print strings#
i = 0
for rstring in record.strings:
    print 'string[{}]: {}'.format(i,rstring)
    i += 1

When passing these params to test script: Archive-Security-2013-10-01-20-02-28-916.evtx 10613

I get the following Error: EventRecordID: 1397257 Traceback (most recent call last): File "debug_evtx_record.py", l ine 21, in <module> print 'XML String: {}'.format(record.xml_string) IOError: pyevtx_record_get_xml_string: unable to retrieve XML string size.

If I look at this in a debugger I see that one of the record.strings has the error: object[1] failed - <type 'exceptions.IOError'>: pyevtx_record_get_string_by_index: unable to retrieve string: 1 size. libfwnt_security_identifier_copy_from_byte_stream: unsupported security identifier contains more than 10 sub authoritites.

Here is debug vars: image

However, when I run evtxexport.exe, I get all the xml, and strings. Here is the example of the same record:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4732</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2013-10-01T18:51:20.218822900Z"/>
    <EventRecordID>1397257</EventRecordID>
    <Correlation/>
    <Execution ProcessID="728" ThreadID="12284"/>
    <Channel>Security</Channel>
    <Computer>Bifrost</Computer>
    <Security/>
  </System>
  <EventData>
    <Data Name="MemberName">-</Data>
    <Data Name="MemberSid">S-1-11-96-3623454863-58364-18864-2661722203-1597581903-3241140313-1528907555-2380831335-2281093177-363464117</Data>
    <Data Name="TargetUserName">HomeUsers</Data>
    <Data Name="TargetDomainName">Bifrost</Data>
    <Data Name="TargetSid">S-1-5-21-718126207-1171771683-1750804747-1002</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">BIFROST$</Data>
    <Data Name="SubjectDomainName">ASGARD</Data>
    <Data Name="SubjectLogonId">0x00000000000003e7</Data>
    <Data Name="PrivilegeList">-</Data>
  </EventData>
</Event>
joachimmetz commented 8 years ago

Can you check with which version of libfwnt your version of pyevtx is compiled. I've addressed this issue in https://github.com/libyal/libfwnt/commit/3d370d059d31a49c02be7f1091e0b4e78814194c (Apr 13, 2015)

forensicmatt commented 8 years ago

20150105

It is fixed. Looks like I should keep up to date. Sorry about that.