orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
332 stars 51 forks source link

Database Filename Issues on Windows #11

Closed crypticgeek closed 7 years ago

crypticgeek commented 7 years ago

If I run a command like

cdqr.exe g:\

CDQR attempts to create a database file named g:.db, however : is not a valid character for a file in Windows. This causes log2timeline to error out IOError: [Errno 13] Permission denied: u'g:.db' Failed to execute script log2timeline

but it continues to run so CDQR just appears to run forever.

Can you either strip illegal characters on windows \ / : * ? " < > | or let the user set the name of the db file somehow?

My use case is examining a multipart DD image mounted by another program.

orlikoski commented 7 years ago

What version of Windows are you running on and can you show me the command string you used to run CDQR?

crypticgeek commented 7 years ago

Windows 7 64bit

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Loading personal and system profiles took 1369ms.
Z:\> cd C:\tools\
C:\tools> .\cdqr.exe --max_cpu g:\ C:\some\folder\cdqrresults\
CDQR Version: 3.1.3
Plaso Version: 1.5
Using parser: win
Number of cpu cores to use: 4
Source data: g:
Destination Folder: C:/some/folder/cdqrresults
Database File: C:/some/folder/cdqrresults/g:.db
SuperTimeline CSV File: C:/some/folder/cdqrresults/g:.SuperTimeline.csv

C:/some/folder/cdqrresults/g:.log
Processing started at: 2017-07-06 11:53:37.166546
Parsing image
"plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies
,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,
explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_dr
ive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mru
listex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,network_drive
s,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassi
st,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,wind
ows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,wi
nevtx,winfirewall,winjob,winlogon,winrar_mru,winreg,winreg_default" "--hashers" "md5" "--workers" "4" "C:/some/folder/cd
qrresults/g:.db" "g:"
crypticgeek commented 7 years ago

Looking at the output it's also obviously going to be a problem for the log file, the supertimeline file, etc containing the colon.

orlikoski commented 7 years ago

Thanks for reporting this. It will be an issue for older versions of Windows for sure. It works fine in Window 10 so I'm going to imagine Win 8+, Linux and Mac will handle the ":" in the filename.

It's definitely something that can be fixed. Adding it as a bug to fix. Thanks again!

orlikoski commented 7 years ago

There is a work around today. Simply copy / paste the log2timeilne command and change the output filename. Once you have that you can trick CDQR to use that by following this example from your code pasted above:

plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,network_drives,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfirewall,winjob,winlogon,winrar_mru,winreg,winreg_default" "--hashers" "md5" "--workers" "4" "C:/some/folder/cdqrresults/g_drive.db" "g:"

MAKE A COPY OF THE .db FILE

Create file g_drive echo " " > g_drive

Then run cdqr in this way

C:\tools> .\cdqr.exe --max_cpu g_drive "C:/some/folder/cdqrresults/g_drive.db"

Follow the prompts to keep the files (should be all the defaults) and it'll will use the g_drive.db for the rest of the processing.

orlikoski commented 7 years ago

Fixed in v4.0.0

Closing