Preg tool GetHivesAndCollectors method is broken

[Onager]

GetHivesAndCollectors seems to be broken, trying to call functions on self that are actually in the frontend. Additionally, these usages aren't tested.

See: https://github.com/log2timeline/plaso/blob/master/tools/preg.py#L576 https://github.com/log2timeline/plaso/blob/master/tools/preg.py#L586

And there are couple more usages.

[Onager]

Assigning to kiddi as he knows the most about this tool, and how it works.

[kiddinn]

Fixed the issues that came up here, but in further testing discovered quite a few other ones...

One issue now is to try to run the following command:

_$ preg.py -c -i test.vhd NTUSER_

This should read the disk image, locate the NTUSER hives there and drop you into console mode with all the hives ready to load.

This works fine on the nfury disk image (has VSS enabled) but not on the XP Evil one.

Attaching some debugging, and seeing that the filesystem path spec that is being tried to open is the following:

In [8]: print path_spec.comparable
type: OS, location: /PATH/images/evil/test.vhd
type: VHDI
type: TSK, location: /

Comparing that to a path spec extracted from the nfury image:

In [2]: print path_spec.comparable
type: OS, location: /PATH/images/win7_nfury/win7-64-nfury-c-drive.E01
type: EWF
type: TSK, location: /

This seems to work fine... inside nfury:

file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)

However that same command inside the evil disk image:

file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)
---------------------------------------------------------------------------
IOError                                   Traceback (most recent call last)
/Library/Python/2.7/site-packages/plaso-1.3.0_20150610-py2.7.egg/plaso/frontend/preg.pyc in <module>()
----> 1 file_system = path_spec_resolver.Resolver.OpenFileSystem(path_spec)

/Library/Python/2.7/site-packages/dfvfs/resolver/resolver.pyc in OpenFileSystem(cls, path_spec, resolver_context)
    161       file_system = resolver_helper.NewFileSystem(resolver_context)
    162 
--> 163     file_system.Open(path_spec=path_spec)
    164     return file_system
    165 

/Library/Python/2.7/site-packages/dfvfs/vfs/file_system.pyc in Open(self, path_spec, mode)
    227 
    228     if not self._is_open:
--> 229       self._Open(path_spec=path_spec, mode=mode)
    230       self._is_open = True
    231       self._path_spec = path_spec

/Library/Python/2.7/site-packages/dfvfs/vfs/tsk_file_system.pyc in _Open(self, path_spec, mode)
     65 
     66     tsk_image_object = tsk_image.TSKFileSystemImage(file_object)
---> 67     tsk_file_system = pytsk3.FS_Info(tsk_image_object)
     68 
     69     self._file_object = file_object

IOError: FS_Info_Con: (tsk3.c:207) Unable to open the image as a filesystem: Cannot determine file system type

[kiddinn]

I'm postponing this fix a bit, since I think we are at the point where we need to do the second step in the preg refactor to get things cleaned up a bit. preg was quite a tangle and step one of splitting it up has left it in quite a vulnerable state.

[Onager]

So what's the plan for this for the release? Remove preg and re-add in 1.4? Or fix preg for 1.3?

[joachimmetz]

@kiddinn was mentioning an upcoming fix

[kiddinn]

I'm working on a fix, this is a much larger issue that sent me down a rabbit hole ;)

expect a fix before RC2

[joachimmetz]

I didn't know you listened to techno (hard trance) ;) https://www.youtube.com/watch?v=pf2BeOX_lO0

[kiddinn]

not that hard core, much softer, more in the lines of : https://www.youtube.com/watch?v=HpW7kLa-du0

At this point all of preg works now, EXCEPT everything that has to do with the console.

The console is next, then I'll do tests and then I'll upload the CL

[kiddinn]

Forgot to update the CL for this: https://codereview.appspot.com/246490043/

[kiddinn]

The CL is quite a large preg refactor, which among other things removes this function completely out.

[kiddinn]

CL submitted and tool fixed.