search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 353 forks source link

Collection filters are not correctly resolved for multiple partitions #396

Open eoyslebo opened 9 years ago

eoyslebo commented 9 years ago

I run image_export.py and log2timeline.py in an automated script and want to use --partition all so that I don't have to worry about identifying the correct partition.

When using a filter file, some of the paths are not expanded correctly unless I specify the main OS partition instead of using --partition all.

This applies to both image_export.py and log2timeline.py

In the example below, I ran image_export.py against an image with three partitions: UEFI, OS, and recovery.

image_export.py --partition all --vss_stores all -f "src/plaso/data/filter_windows.txt" "imagefile.E01"

2015-10-29 12:25:19,856 [INFO] Processing started.
2015-10-29 12:25:20,318 [INFO] Guessing OS
2015-10-29 12:25:20,322 [INFO] OS: None
2015-10-29 12:25:20,322 [INFO] Running preprocess.
2015-10-29 12:25:20,322 [INFO] Preprocess done, saving files from image.
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {sysregistry}/(SAM|SOFTWARE|SECURITY|SYSTEM) with error: u"Unable to expand path with error: 'sysregistry'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {systemroot}/winevt/Logs/.+[.]evtx with error: u"Unable to expand path with error: 'systemroot'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {systemroot}/config/.+[.]evt with error: u"Unable to expand path with error: 'systemroot'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/inf/setupapi[.].+[.]log with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/setupapi.log with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/System32/LogFiles/.+/.+[.]txt with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/Tasks/.+[.]job with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/Appcompat/Programs/Recentfilecache[.]bcf with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/Appcompat/Programs/AMcache[.]hve with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:20,323 [ERROR] Unable to use collection filter line: {windir}/Prefetch/.+[.]pf with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {sysregistry}/(SAM|SOFTWARE|SECURITY|SYSTEM) with error: u"Unable to expand path with error: 'sysregistry'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {systemroot}/winevt/Logs/.+[.]evtx with error: u"Unable to expand path with error: 'systemroot'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {systemroot}/config/.+[.]evt with error: u"Unable to expand path with error: 'systemroot'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/inf/setupapi[.].+[.]log with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/setupapi.log with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/System32/LogFiles/.+/.+[.]txt with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/Tasks/.+[.]job with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/Appcompat/Programs/Recentfilecache[.]bcf with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/Appcompat/Programs/AMcache[.]hve with error: u"Unable to expand path with error: 'windir'"
2015-10-29 12:25:21,195 [ERROR] Unable to use collection filter line: {windir}/Prefetch/.+[.]pf with error: u"Unable to expand path with error: 'windir'"

Resulting directory structure (find -type d -maxdepth=3):

./_RECYCLE.BIN
./_RECYCLE.BIN/S-1-5-21-*REDACTED*
./Users
./Users/Default
./Users/*REDACTED*/AppData
./_Recycle.Bin
./_Recycle.Bin/S-1-5-21-*REDACTED*

image_export.py --partition 2 --vss_stores all -f "src/plaso/data/filter_windows.txt" "imagefile.E01"

2015-10-29 12:26:06,690 [INFO] Processing started.
2015-10-29 12:26:07,864 [INFO] Guessing OS
2015-10-29 12:26:10,125 [INFO] OS: Windows
2015-10-29 12:26:10,125 [INFO] Running preprocess.
2015-10-29 12:26:10,894 [INFO] [PreProcess] Set attribute: sysregistry to /Windows/System32/config
2015-10-29 12:26:10,921 [INFO] [PreProcess] Set attribute: systemroot to /Windows
2015-10-29 12:26:10,950 [INFO] [PreProcess] Set attribute: windir to /Windows
2015-10-29 12:26:12,828 [INFO] [PreProcess] Set attribute: code_page to cp1252
2015-10-29 12:26:12,830 [INFO] [PreProcess] Set attribute: hostname to *REDACTED*
2015-10-29 12:26:15,875 [INFO] [PreProcess] Set attribute: programfiles to \Program Files
2015-10-29 12:26:15,890 [INFO] [PreProcess] Set attribute: time_zone_str to @tzres.dll,-322
2015-10-29 12:26:15,976 [INFO] [PreProcess] Set attribute: users to [{u'path': u'%systemroot%\\system32\\config\\systemprofile', u'name': u'systemprofile', u'sid': u'S-1-5-18'},*REDACTED*
2015-10-29 12:26:15,976 [INFO] [PreProcess] Set attribute: programfilesx86 to \Program Files (x86)
2015-10-29 12:26:15,978 [INFO] [PreProcess] Set attribute: osversion to Windows 7 Home Premium
2015-10-29 12:26:15,983 [INFO] Preprocess done, saving files from image.

Resulting directory structure (find -type d -maxdepth=3):

./Users
./Users/Default
./Users/*REDACTED*
./Users/*REDACTED*/AppData
./Windows
./Windows/System32
./Windows/System32/LogFiles
./Windows/System32/config
./Windows/Tasks
./Windows/Prefetch
./Windows/AppCompat
./Windows/AppCompat/Programs
./Windows/inf
./_Recycle.Bin
./_Recycle.Bin/S-1-5-21-*REDACTED*
joachimmetz commented 9 years ago

Closely related to: https://github.com/log2timeline/plaso/issues/217 and https://github.com/log2timeline/plaso/issues/109 (fix preprocessor to handle more than one system configuration)