search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 352 forks source link

How do I use/troubleshoot BrowserHistory artifact collection filter? #4752

Open erinshore66 opened 1 year ago

erinshore66 commented 1 year ago

Describe the problem:

When I run log2timeline with BrowserHistory artifact I dont get any results nor do I see any error.

To Reproduce:

Plaso Version: Latest: 20230717 OS Version; Ubuntu 22.04.3 LTS (Fresh install) Source data: base-rd-04-cdrive.E01 from FOR508 Installation Method: I installed plaso with the recommendations of the official documentation (add universe; add ppa; and apt install plaso-tools).

Steps to reproduce:

Run log2timeline with BrowserHistory artifact on base-rd-04 image from FOR508 with this command:

Command output:

$ log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file hist.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01

2023-11-04 10:37:27,516 [INFO] (MainProcess) PID:24890 <data_location> Determined data location: /usr/share/plaso
2023-11-04 10:37:27,526 [INFO] (MainProcess) PID:24890 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OPTIONAL]      unable to determine version information for: flor
[OK]
Source path             : /mnt/hgfs/imgs/base-rd-04-cdrive.E01
Source type             : storage media image
Artifact filters        : BrowserHistory
Processing time         : 00:00:00

Processing started.

Log Output:

2023-11-04 10:37:29,290 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Starting preprocessing.
2023-11-04 10:37:29,325 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: DetermineOperatingSystemPlugin with artifact definition: N/A
2023-11-04 10:37:29,700 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxHostnamePlugin with artifact definition: LinuxHostnameFile
2023-11-04 10:37:29,705 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxDistributionPlugin with artifact definition: LinuxDistributionRelease
2023-11-04 10:37:29,730 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxIssueFilePlugin with artifact definition: LinuxIssueFile
2023-11-04 10:37:29,739 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxStandardBaseReleasePlugin with artifact definition: LinuxLSBRelease
2023-11-04 10:37:29,743 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxSystemdOperatingSystemPlugin with artifact definition: LinuxSystemdOSRelease
2023-11-04 10:37:29,751 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxTimeZonePlugin with artifact definition: LinuxLocalTime
2023-11-04 10:37:29,756 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxUserAccountsPlugin with artifact definition: LinuxPasswdFile
2023-11-04 10:37:29,760 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSHostnamePlugin with artifact definition: MacOSSystemConfigurationPreferencesPlistFile
2023-11-04 10:37:29,765 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSKeyboardLayoutPlugin with artifact definition: MacOSKeyboardLayoutPlistFile
2023-11-04 10:37:29,769 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSSystemVersionPlugin with artifact definition: MacOSSystemVersionPlistFile
2023-11-04 10:37:29,774 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSTimeZonePlugin with artifact definition: MacOSLocalTime
2023-11-04 10:37:29,783 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSUserAccountsPlugin with artifact definition: MacOSUserPasswordHashesPlistFiles
2023-11-04 10:37:29,791 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: WindowsSystemRootEnvironmentVariablePlugin with artifact definition: WindowsEnvironmentVariableSystemRoot
2023-11-04 10:37:29,795 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: systemroot to: "\Windows"
2023-11-04 10:37:29,808 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: WindowsWinDirEnvironmentVariablePlugin with artifact definition: WindowsEnvironmentVariableWinDir
2023-11-04 10:37:29,812 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: windir to: "\Windows"
2023-11-04 10:37:29,825 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsAvailableTimeZones
2023-11-04 10:37:33,058 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsCodePage
2023-11-04 10:37:33,398 [DEBUG] (MainProcess) PID:24890 <mediator> setting code page to: "cp1252"
2023-11-04 10:37:33,408 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsComputerName
2023-11-04 10:37:33,750 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsCurrentVersion
2023-11-04 10:37:34,090 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableAllUsersProfile
2023-11-04 10:37:34,437 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramData
2023-11-04 10:37:34,766 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programdata to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:34,768 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramFiles
2023-11-04 10:37:35,087 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programfiles to: "C:\Program Files"
2023-11-04 10:37:35,089 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramFilesX86
2023-11-04 10:37:35,420 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programfilesx86 to: "C:\Program Files (x86)"
2023-11-04 10:37:35,421 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEventLogPublishers
2023-11-04 10:37:38,977 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEventLogSources
2023-11-04 10:37:41,136 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsLanguage
2023-11-04 10:37:41,479 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsMountedDevices
2023-11-04 10:37:41,808 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsProductName
2023-11-04 10:37:42,151 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsRegistryProfiles
2023-11-04 10:37:42,486 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: systemprofile
2023-11-04 10:37:42,488 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: LocalService
2023-11-04 10:37:42,489 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: NetworkService
2023-11-04 10:37:42,491 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: Administrator.BASE-RD-04
2023-11-04 10:37:42,492 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: nromanoff
2023-11-04 10:37:42,494 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: rsydow-a
2023-11-04 10:37:42,495 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: cbarton-a
2023-11-04 10:37:42,496 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: spsql
2023-11-04 10:37:42,498 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: administrator.shieldbase
2023-11-04 10:37:42,500 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsServices
2023-11-04 10:37:45,577 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsTimezone
2023-11-04 10:37:46,241 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsAllUsersAppDataKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: allusersappdata to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsAllUsersAppProfileKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: allusersprofile to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsProgramDataKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Preprocessing done.
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Parser filter expression set to: binary_cookies,chrome_cache,chrome_preferences,esedb/msie_webcache,firefox_cache,java_idx,msiecf,opera_global,opera_typed_history,plist/safari_history,sqlite/chrome_17_cookies,sqlite/chrome_27_history,sqlite/chrome_66_cookies,sqlite/chrome_8_history,sqlite/chrome_autofill,sqlite/chrome_extension_activity,sqlite/firefox_10_cookies,sqlite/firefox_2_cookies,sqlite/firefox_downloads,sqlite/firefox_history,sqlite/safari_historydb
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <engine> building find specification based on artifacts: BrowserHistory
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from artifact definition: BrowserHistory
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path glob: %%users.homedir%%/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: %systemroot%\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from expanded path: \Windows\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "\Windows\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal"
.......
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\administrator.shieldbase\Local Settings\Application Data\Microsoft\Windows\History\Low\History.IE5\index.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path glob: %%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from expanded path: \Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\Administrator.BASE-RD-04\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\Administrator.BASE-RD-04\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
..........
2023-11-04 10:37:46,513 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\Administrator.BASE-RD-04\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,513 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\cbarton-a\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\cbarton-a\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\spsql\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\spsql\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\administrator.shieldbase\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\administrator.shieldbase\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,629 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> Creating socket for main_task_queue
2023-11-04 10:37:46,630 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue bound to random port 39937
2023-11-04 10:37:46,630 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue responder thread started
2023-11-04 10:37:46,631 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Starting worker process Worker_00
2023-11-04 10:37:46,739 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Starting worker process Worker_01
2023-11-04 10:37:48,588 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Task scheduler started
2023-11-04 10:37:48,588 [DEBUG] (MainProcess) PID:24890 <task_manager> Checking for pending tasks
2023-11-04 10:37:48,589 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Task scheduler stopped
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Stopping extraction processes.
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Stopped monitoring process: Worker_00 (PID: 24894)
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Stopped monitoring process: Worker_01 (PID: 24898)
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Emptying task queue.
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_00 (PID: 24894).
2023-11-04 10:37:48,873 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sending item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sent item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sending item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sent item
2023-11-04 10:37:53,881 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_01 (PID: 24898).
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_01 (PID: 24898) stopped.
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue queue closing, will linger for up to 0 seconds
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_00 (PID: 24894).
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_00 (PID: 24894) stopped.
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_01 (PID: 24898).
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_01 (PID: 24898) stopped.
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> [main_task_queue] Waiting for thread to exit.
2023-11-04 10:37:54,877 [INFO] (MainProcess) PID:24890 <zeromq_queue> Queue main_task_queue responder exiting.
2023-11-04 10:37:54,877 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> [main_task_queue] Waiting for thread to exit.
2023-11-04 10:37:54,877 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Processing completed.

Then I ran psort in this way and no results found:

$ psort.py -o l2tcsv -w history.csv hist.db
2023-11-04 11:08:00,815 [INFO] (MainProcess) PID:24931 <data_location> Determined data location: /usr/share/plaso
WARNING: the output format: l2tcsv has significant limitations such as second-
only date and time values and/or a limited predefined set of output fields. It
is strongly recommend to use an alternative output format like: dynamic.

Waiting for 15 second to give you time to cancel.
plaso - psort version 20230717

Storage file            : hist.db
Processing time         : 00:00:00
$ cat history.csv
date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra

The same happens if I run with docker.

Expected Behavior Get browser history from an image

joachimmetz commented 1 year ago
erinshore66 commented 1 year ago
  • what format hist.db ? sqlite -- 20230327 
    
$ pinfo.py hist.db

** Plaso Storage Information *** Filename : hist.db Format version : 20230327 Serialization format : json


> * is log2timeline.py able to determine the variables used in the artifact definition?
I dont know how to answer this. I dont think so. It happens with all %%users.*%% variables
For example: WindowsUserRegistryFiles
joachimmetz commented 1 year ago

I dont know how to answer this. I dont think so. It happens with all %%users.*%% variables

what do the debug logs tell you or the user accounts in the hist.db database ?

Also see: https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html

erinshore66 commented 1 year ago

First at all, thank you very much for your help.

what do the debug logs tell you or the user accounts in the hist.db database ?

The hist.db doesnt have any events:

$ pinfo.py hist.db
************************** Plaso Storage Information ***************************
Filename : hist.db
Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------
*********************************** Sessions ***********************************
d962f0e8-627f-44dc-9436-9803034faf74 : 2023-11-04T10:37:28.546754+00:00
--------------------------------------------------------------------------------
******************************** Event sources *********************************
Total : 0
--------------------------------------------------------------------------------
No events stored.
No events labels stored.
No warnings stored.
No analysis reports stored.

I see in the logs lines like these:

2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"

I have been testing and if I change in the artifact definitions the %%users.%% variables to the corresponding \Users\\\AppData.... , it works. I have changed InternetExplorerHistory (ONLY InternetExplorerHistory) paths in /usr/share/artifacts/webbrowser.yaml:

Snippet:

....
    - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
   To:
    - '\Users\*\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat'

Then I ran log2timeline again with the BrowserHistory artifact

$ log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file history.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01

This way the warnings disappear and I get the Internet Explorer history.

$ pinfo.py history.db

************************** Plaso Storage Information ***************************
            Filename : history.db
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
f87fe762-2b36-47a3-824e-f40ee8cc2d32 : 2023-11-04T19:01:55.014016+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 4
--------------------------------------------------------------------------------

************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
       msie_webcache : 2995
               Total : 2995
--------------------------------------------------------------------------------

No events labels stored.

******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
 esedb/msie_webcache : 6
--------------------------------------------------------------------------------

************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
                 3 : type: OS, location: /mnt/hgfs/imgs/base-rd-04-cdrive.E01
                   : type: EWF
                   : type: NTFS, location:
                     \Users\administrator.shieldbase\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat,
                     MFT attribute: 2, MFT entry: 6867
                 3 : type: OS, location: /mnt/hgfs/imgs/base-rd-04-cdrive.E01
                   : type: EWF
                   : type: NTFS, location:
                     \Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat,
                     MFT attribute: 2, MFT entry: 12178
--------------------------------------------------------------------------------

No analysis reports stored.

Should I change all %%users.*%% variables in the artifact yamls and set absolute paths avoiding these user variables? Or use custom artifacts??

Thank you very much again.

joachimmetz commented 1 year ago

I'll have a closer look when time permits.

erinshore66 commented 9 months ago

Hi again! I have been testing the new version to see if this behavior with user variables persisted and I have confirmed that it does.

I have been debugging in the artifact_filters.py file and the _BuildFindSpecsFromFileSourcePath function. with two artifact filters that are a clear example of the observed behavior.

The function is:

  def _BuildFindSpecsFromFileSourcePath(
      self, source_path, path_separator, environment_variables, user_accounts):
    """Builds find specifications from a file source type.

    Args:
      source_path (str): file system path defined by the source.
      path_separator (str): file system path segment separator.
      environment_variables (list[EnvironmentVariableArtifact]):
          environment variables.
      user_accounts (list[UserAccountArtifact]): user accounts.

    Returns:
      list[dfvfs.FindSpec]: find specifications for the file source type.
    """
    find_specs = []
    for path_glob in path_helper.PathHelper.ExpandGlobStars(
        source_path, path_separator):
      logger.debug('building find spec from path glob: {0:s}'.format(
          path_glob))

      for path in path_helper.PathHelper.ExpandUsersVariablePath(
          path_glob, path_separator, user_accounts):
        logger.debug('building find spec from path: {0:s}'.format(path))

        if '%' in path:
          path = path_helper.PathHelper.ExpandWindowsPath(
              path, environment_variables)
          logger.debug('building find spec from expanded path: {0:s}'.format(
              path))

        if not path.startswith(path_separator):
          logger.warning((
              'The path filter must be defined as an absolute path: '
              '"{0:s}"').format(path))
          continue

        try:
          find_spec = dfvfs_file_system_searcher.FindSpec(
              case_sensitive=False, location_glob=path,
              location_separator=path_separator)
        except ValueError as exception:
          logger.error((
              'Unable to build find specification for path: "{0:s}" with '
              'error: {1!s}').format(path, exception))
          continue

        find_specs.append(find_spec)

    return find_specs

The WindowsSystemRegistryFiles filter does everything as expected. System variables like %%environ_systemroot%% are translated correctly and the _BuildFindSpecsFromFileSourcePath function gets the correct path this way:

2024-02-11 12:40:43,680 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from path glob: %%environ_systemroot%%\System32\config\SYSTEM
2024-02-11 12:40:43,681 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from path: %%environ_systemroot%%\System32\config\SYSTEM
2024-02-11 12:40:43,681 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from expanded path: \Windows\System32\config\SYSTEM

The returned path starts with "\" so it continues the execution and gets the right path.

With WindowsUserRegistryFiles and the user variables %%user.*%% the returned path starts with "C:" and not with the path_separator "\" so it enters this if:

 if not path.startswith(path_separator):
          logger.warning((
              'The path filter must be defined as an absolute path: '
              '"{0:s}"').format(path))
          continue

And returns the warning we can see in the logs:

2024-02-11 12:44:50,602 [DEBUG] (MainProcess) PID:84295 <artifact_filters> building find spec from path: C:\Users\nromanoff\NTUSER.DAT
2024-02-11 12:44:50,602 [WARNING] (MainProcess) PID:84295 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\NTUSER.DAT"

And is never saved in the variable _findspec because of the continue command in the previous if.

try:
          find_spec = dfvfs_file_system_searcher.FindSpec(
              case_sensitive=False, location_glob=path,
              location_separator=path_separator)

Now, we add a new if to remove "C:" string from the returned path 

if path.startswith("C:"):
          path = path[2:]
          logger.debug(('ROBI REMOVES STRING C: '
              '"{0:s}"').format(path))

This time the path starts with the expected path_separator "\" and the execution continues:

2024-02-11 13:02:28,607 [DEBUG] (MainProcess) PID:84369 <artifact_filters> building find spec from path: C:\Users\nromanoff\NTUSER.DAT
2024-02-11 13:02:28,607 [DEBUG] (MainProcess) PID:84369 <artifact_filters> ROBI REMOVES STRING C: "\Users\nromanoff\NTUSER.DAT"

And it works! Let's try the original command that I opened this issue with. If I run the BrowserHistory again it works perfectly:

log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file hist.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01
psort.py -o l2tcsv -w hist.csv hist.db

I get back what I expected:

.....
12/05/2018,14:50:11,UTC,....,WEBHIST,MSIE WebCache container record,Expiration Time,-,BASE-RD-04,URL: Visited: spsql@https://login.live.com/oauth20_authorize.srf?client_id=00...,URL: ........
12/10/2018,01:54:52,UTC,....,WEBHIST,MSIE WebCache container record,Expiration Time,-,BASE-RD-04,URL: Visited: nromanoff@https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=...,URL: Visit..
.....

I don't know if this change may have an impact on other Plaso capabilities. I am not a Python expert. I hope this can help. Thank you very much.