search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.72k stars 348 forks source link

Add support for recovered msie_webcache records #1790

Open johnmccash opened 6 years ago

johnmccash commented 6 years ago

The msie_webcache plugin for the esedb parser finds many fewer deleted records than are theoretically available. In a test I did with an extracted WebCacheV01.dat file I was working on, using the current revision of IE10Analyzer (http://moaistory.blogspot.com/2016/08/ie10analyzer.html) I was able to extract 34580 such records (many of them specifically relating to my case, and not found by Log2timeline) for a user who had cleared their web history shortly before the file was collected. Log2timeline was only able to extract 23628 records from the same file. (Not complaining, just noting that apparently it's possible to do significantly better)

**Plaso version:20180127

**Operating system Plaso is running on: Win7x64

The WebCacheV01.dat file I tested with was from up-to-date IE11, rnning on a in7x64 host. Sorry I can't provide the file :-( .

joachimmetz commented 6 years ago

libesedb does support recovered records at this point in time.

https://github.com/libyal/libesedb/issues/11

johnmccash commented 6 years ago

So.... I'm a little unclear on the actual status of this. I'm fine with it being an enhancement, and I see the reference that says that there's already some support for extracting 'recovered records'. However I'm not sure what 'blocked' means in this context. Are you saying that the esedb parser supports 'recovered records', but log2timeline is waiting on some kind of enhancement to properly interface with it in that context? I'm also unclear on the definition of 'recovered records'. Are those records that have been 'undeleted' using some esedb functionality, or are they records that have been carved from unallocated space in the db file? The IE10Analyzer program, which I referenced in the initial report, has both recovery methods, but is able to successfully recover significantly more deleted records using the record carving functionality. Thanks John

joachimmetz commented 6 years ago

already some support for extracting 'recovered records'

not for msie_webcache

esedb parser supports 'recovered records'

is does not support record recovery at the moment

Are those records that have been 'undeleted' using some esedb functionality, or are they records that have been carved from unallocated space in the db file?

the latter, though they are not carved but recovered based on metadata remnants