Description of problem:
I'm running image_export.py against an E01 image while using the filter option and I'm getting mixed results. I'm using a slightly enhanced version of the file from "/log2timeline/plaso/blob/master/data/filter_windows.txt" and (among other modifications) I corrected the line containing /[$]Extend/[$]UsnJrnl (it used to be /[$]Extend/$UsnJrnl); but for some reason this exact file the USN Journal is not collected.
However if I use a very short filter file with just the NTFS metafiles locations (/[$]MFT, /[$]LogFile and /[$]Extend/[$]UsnJrnl) the tool extracts correctly everything.
For both tests the lines containing the NTFS metafiles locations were exactly the same, but the tool only extracts USN Journal when using the smaller filter file.
I get the same strange behavior with the {systemroot}/System32/Tasks/.+ or variations; in a small filter file with just a few lines the tool can extract the artifacts without any issues... while in the big filter_windows.txt the tool is skipping these locations (under .../System32/Tasks/ folder structure).
Debug output/tracebacks:
I didn't get any debug info when running the tool with "-d".
Source data:
The E01 image is from a Windows 10 Pro system.
Alex-Stamate
commented
7 years ago
Plaso version: 1.5.1
Operating system Plaso is running on: Ubuntu 14.04
Installation method: https://github.com/log2timeline/l2tdevtools
Description of problem: I'm running image_export.py against an E01 image while using the filter option and I'm getting mixed results. I'm using a slightly enhanced version of the file from "/log2timeline/plaso/blob/master/data/filter_windows.txt" and (among other modifications) I corrected the line containing /[$]Extend/[$]UsnJrnl (it used to be /[$]Extend/$UsnJrnl); but for some reason this exact file the USN Journal is not collected.
However if I use a very short filter file with just the NTFS metafiles locations (/[$]MFT, /[$]LogFile and /[$]Extend/[$]UsnJrnl) the tool extracts correctly everything.
For both tests the lines containing the NTFS metafiles locations were exactly the same, but the tool only extracts USN Journal when using the smaller filter file.
I get the same strange behavior with the {systemroot}/System32/Tasks/.+ or variations; in a small filter file with just a few lines the tool can extract the artifacts without any issues... while in the big filter_windows.txt the tool is skipping these locations (under .../System32/Tasks/ folder structure).
Debug output/tracebacks: I didn't get any debug info when running the tool with "-d".
Source data: The E01 image is from a Windows 10 Pro system.