Error while parsing using prefetch parser

kiddinn commented 9 years ago

While parsing the dblake win81 disk image.

[prefetch] Unable to process file:

 type: OS, 
location: /path/test_images/win81_donald_blake/Donald_Blake_Evidence/C-Drive/YYYYMMDD-002-CDRIVE.E01
type: EWF
type: VSHADOW, store index: 1
type: TSK, inode: 126743, location: /Windows/Prefetch/NGENTASK.EXE-8C2F1441.pf
 with error: 'utf16' codec can't decode bytes in position 100-101: illegal encoding.

And the traceback:

Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
    parser_object.Parse(self._parser_context, file_entry)
  File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 407, in Parse
    filename_strings = self._ParseFilenameStrings(file_object, file_information)
  File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 305, in  _ParseFilenameStrings
    filename_strings_data)
  File "build/bdist.linux-x86_64/egg/plaso/lib/binary.py", line 243, in   ArrayOfUt16StreamCopyToStringTable
    'utf-16-le')
  File "/usr/lib/python2.7/encodings/utf_16_le.py", line 16, in decode
    return codecs.utf_16_le_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 100-101: illegal encoding

Other issues as well, from same parsing:

File: type: TSK, inode: 18036, location: /Windows/Prefetch/DRVINST.EXE-14255DC1.pf

with error: 'utf16' codec can't decode bytes in position 11508-11509: illegal UTF-16 surrogate.

Traceback (most recent call last):

File "build/bdist.linux-x86_64/egg/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
  parser_object.Parse(self._parser_context, file_entry)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 407, in Parse
  filename_strings = self._ParseFilenameStrings(file_object, file_information)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 305, in  _ParseFilenameStrings
  filename_strings_data)
File "build/bdist.linux-x86_64/egg/plaso/lib/binary.py", line 243, in  ArrayOfUt16StreamCopyToStringTable
  'utf-16-le')
File "/usr/lib/python2.7/encodings/utf_16_le.py", line 16, in decode
  return codecs.utf_16_le_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 11508-11509: illegal UTF-16  surrogate

File: type: TSK, inode: 42505, location: /Windows/Prefetch/RUNDLL32.EXE-648A8C68.pf

with error: startswith first arg must be str, unicode, or tuple, not NoneType.

Traceback (most recent call last):

File "build/bdist.linux-x86_64/egg/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
    parser_object.Parse(self._parser_context, file_entry)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 438, in Parse
    if (filename.startswith(volume_device_path) and
TypeError: startswith first arg must be str, unicode, or tuple, not NoneType

File: TSK, inode: 4124, location: /Windows/Prefetch/RUNDLL32.EXE-47EC2F1A.pf

with error: 'utf16' codec can't decode bytes in position 82-83: illegal encoding.

Traceback (most recent call last):

File "build/bdist.linux-x86_64/egg/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
    parser_object.Parse(self._parser_context, file_entry)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 407, in Parse
    filename_strings = self._ParseFilenameStrings(file_object, file_information)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 305, in _ParseFilenameStrings
    filename_strings_data)
File "build/bdist.linux-x86_64/egg/plaso/lib/binary.py", line 243, in ArrayOfUt16StreamCopyToStringTable
    'utf-16-le')
File "/usr/lib/python2.7/encodings/utf_16_le.py", line 16, in decode
    return codecs.utf_16_le_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 82-83: illegal encoding

kiddinn commented 9 years ago

There was also this one:

Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser
  parser_object.Parse(self._parser_context, file_entry)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 407, in Parse
  filename_strings = self._ParseFilenameStrings(file_object, file_information)
File "build/bdist.linux-x86_64/egg/plaso/parsers/winprefetch.py", line 305, in _ParseFilenameStrings
  filename_strings_data)
File "build/bdist.linux-x86_64/egg/plaso/lib/binary.py", line 243, in   ArrayOfUt16StreamCopyToStringTable
  'utf-16-le')
File "/usr/lib/python2.7/encodings/utf_16_le.py", line 16, in decode
  return codecs.utf_16_le_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 4-5: illegal encoding

kiddinn commented 9 years ago

https://codereview.appspot.com/189040043/

kiddinn commented 9 years ago

This has been fixed in aec886123f8c4e54ec2c331a0aaf1c267cc0e95e

log2timeline / plaso

Error while parsing using prefetch parser #68