search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.7k stars 334 forks source link

Processing of USB winreg failure #116

Closed chrisprickaerts closed 9 years ago

chrisprickaerts commented 9 years ago

While processing a Windows 8.1 system I get an error on USB processing:

2015-02-15 20:50:31,310 [WARNING] (Worker_1  ) PID:3764 <usbstor> Unable to split string: Disk&Ven_Kingston&Prod_DT_Rubber_3.0 with error: need more than 3 values to unpack
2015-02-15 20:50:31,313 [WARNING] (Worker_1  ) PID:3764 <worker> [winreg] Unable to process file: type: OS, location: /cases/svo1/HD/20140823_SVO1_HD.E01
type: EWF
type: TSK_PARTITION, location: /p2, part index: 3, start offset: 0x06500000
type: VSHADOW, store index: 0
type: TSK, inode: 44703, location: /temp/system
 with error: local variable 'device_type' referenced before assignment.
2015-02-15 20:50:31,313 [ERROR] (Worker_1  ) PID:3764 <worker> local variable 'device_type' referenced before assignment
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
    parser_object.Parse(self._parser_context, file_entry)
  File "/usr/lib/python2.7/dist-packages/plaso/parsers/winreg.py", line 331, in Parse
    codepage=parser_context.codepage, parser_chain=parser_chain)
  File "/usr/lib/python2.7/dist-packages/plaso/parsers/winreg_plugins/interface.py", line 206, in Process
    parser_chain=parser_chain, **kwargs)
  File "/usr/lib/python2.7/dist-packages/plaso/parsers/winreg_plugins/usbstor.py", line 75, in GetEntries
    text_dict['device_type'] = device_type
UnboundLocalError: local variable 'device_type' referenced before assignment

Tried 2 times, process stops at same spot. I can provide image/test data, since this is test/training dataset.

joachimmetz commented 9 years ago

Thx for reporting, at first glance looks like a bug in the parser. I'll have a look when time permits.

chrisprickaerts commented 9 years ago

Please let me know if you need sample or debugging data that incurs this error.

joachimmetz commented 9 years ago

Yes please the sample could be useful since the code contains a comment:

# TODO: Determine if these 4 fields always exist.
joachimmetz commented 9 years ago

Pending fix: http://codereview.appspot.com/200470043

joachimmetz commented 9 years ago

A fix is in but a sample would still be useful. Can you also confirm if this fixes the issue you were encountering.

chrisprickaerts commented 9 years ago

just test files from b-set on same sample. below the output. on a side note, how can I upload the test file via Github?

root@delorean:/cases# log2timeline.py test /mnt/windows_mount/Windows/System32/config/SYSTEM

Source path : /mnt/windows_mount/Windows/System32/config/SYSTEM Is storage media image or device : False

2015-02-23 21:17:41,258 INFO PID:10461 Starting extraction in single process mode. 2015-02-23 21:17:41,259 INFO PID:10461 Worker 0 (PID: 10461) started monitoring process queue. 2015-02-23 21:17:43,803 WARNING PID:10461 Expected 4 &-separated values in: Disk&Ven_Kingston&Prod_DT_Rubber_3.0 2015-02-23 21:17:47,621 INFO PID:10461 Worker 0 (PID: 10461) stopped monitoring process queue. 2015-02-23 21:17:54,863 INFO PID:10461 [Storage] Closing the storage, number of events processed: 28836 2015-02-23 21:17:54,863 INFO PID:10461 Processing completed. root@delorean:/cases#

joachimmetz commented 9 years ago

how can I upload the test file via Github?

There is "Attach images by dragging & dropping, selecting them, or pasting from the clipboard." at the bottom of the issue comment box. Not sure if that does what you want it to do otherwise send me it via mail or Dropbox, Google Drive or equiv.

Expected 4 &-separated values in: Disk&Ven_Kingston&Prod_DT_Rubber_3.0

Thx this explains the initial bug.

joachimmetz commented 9 years ago

I'm closing this issue.