FileHistory

[eightflat]

Hello,

I've been trying to use the FileHistory plugin to no avail. I've tried two different sets of data as logical files (two sets of Catalog1.edb, Catalog2.edb, Config1.xml, Config2.xml from different machines), I've also tried running it on a data source (which I created in a virtual machine specifically as a File History drive) in the form of a raw image file.

Unfortunately, it just doesn't seem to take... I'll get the ingest message/notification that the plugin is done, but no artifacts are generated and I don't see anything in the Extracted Content "folder". I've also tested this on Autopsy 4.3 as well as 4.15, for what it's worth.

I would be grateful for any ideas, but could you let me know which version of Python the plugin was designed with or perhaps which version you know works? The more I can replicate a known configuration would be very appreciated.

Thank you for all your work with these plugins!

[markmckinnon]

When you tried to run the plugin against the logical data source what did the directory structure look like? According to the code on line 232 of the plugin code, it will try and find any *.edb file in a directory that contains "%/Windows/FileHistory/%". If the files were not in that directory then it would not find them. The same thing goes for the raw image file.

To see if you would be getting any information one thing you can do is to export the catalog1.edb and catalog2.edb to the export folder of the case and then copy the following 2 files, Export_FileHistory.Exe and Export_FileHistory_records.exe to the export directory. In a CMD prompt window go to the export directory and run the following command to see if it can process the catalogX.edb file(s). Export_FileHistory.exe catalog1.edb catalog1.db3. You can run the same command for the catalog2.edb file just change the names. This will create an SQLite database named catalog1.db3 that you can open up in an SQLite browser and look at any data that was generated. You will also see any messages for the run as well that might give a hint as to what is going on.

Once you try those steps then let me know what you find and if there is something more that may need to be done.

[eightflat]

My most sincere thanks, Mark. It was as simple as having the correct path. Also, I really appreciate the extra step for determining if the catalog files are even viable. More knowledge!

[markmckinnon]

Glad it was an easy fix. Glad you are getting some use out of my plugins as well.

[eightflat]

Mark, another question... during the course of your work with the FileHistory plugin, did you ever come upon any detailed explanations for the timestamps generated by the Windows File History?

I've been trying to make sense of the differences between the Backup timestamps, but I haven't had any success coming up with confident explanations.

I read in another issue that you prepared some documentation for plugin contests, and was hoping that (or the natural course of your work) might include information about the timestamps.