search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.7k stars 334 forks source link

Add fallback knowledge-base pre-processor plugin for systemroot #2410

Open joachimmetz opened 5 years ago

joachimmetz commented 5 years ago 
2019-03-27 07:02:07,358 [DEBUG] (MainProcess) PID:30749 <extraction_tool> Starting preprocessing.
2019-03-27 07:02:08,351 [DEBUG] (MainProcess) PID:30749 <extraction_tool> Preprocessing done.
2019-03-27 07:02:08,352 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/System32/config/(SAM|SOFTWARE|SECURITY|SYSTEM)
2019-03-27 07:02:08,352 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/System32/winevt/Logs/.+[.]evtx
2019-03-27 07:02:08,352 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/System32/config/.+[.]evt
2019-03-27 07:02:08,352 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/inf/setupapi[.].+[.]log
2019-03-27 07:02:08,352 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/setupapi.log
2019-03-27 07:02:08,353 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/System32/LogFiles/.+/.+[.]txt
2019-03-27 07:02:08,353 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/Tasks/.+[.]job
2019-03-27 07:02:08,353 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/Appcompat/Programs/Recentfilecache[.]bcf
2019-03-27 07:02:08,353 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/Appcompat/Programs/AMcache[.]hve
2019-03-27 07:02:08,353 [WARNING] (MainProcess) PID:30749 <filter_file> The path filter must be defined as an absolute path: {systemroot}/Prefetch/.+[.]pf
joachimmetz commented 5 years ago

https://github.com/log2timeline/plaso/blob/b7bf7b7f618a649387ad50404e7db7709540736a/plaso/engine/engine.py#L267

operating_system == definitions.OPERATING_SYSTEM_FAMILY_UNKNOWN

for the test that makes sense since there is no Windows directory in the directory

joachimmetz commented 5 years ago

consider adding knowledge-base pre-prossessor plugin for systemroot that falls back to C:\Windows