search

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
334 stars 50 forks source link

cdqr breaks on unicode characters #39

Closed davidrudduck closed 5 years ago

davidrudduck commented 5 years ago

Running cdqr v.4.4.0 via skadi 2019.2 docker setup.

CDQR exits with unable to extract.

david@skadi:~$ cdqr in:CASE-DEVICE.zip out:CASE-DEVICE -p datt -z --max_cpu --es_kb CASE-DEVICE --es_ts CASE-DEVICE docker run -v /etc/hosts:/etc/hosts:ro --network host -v /home/david/CASE-DEVICE.zip:home/david/CASE-DEVICE.zip -v /home/david/CASE-DEVICE:/home/david/CASE-DEVICE -v /etc/timesketch.conf:/etc/timesketch.conf aorlikoski/cdqr:4.4.0 -y /home/david/CASE-DEVICE.zip /home/david/CASE-DEVICE -p datt -z --max_cpu --es_kb CASE-DEVICE --es_ts CASE-DEVICE CDQR Version: 4.4 Plaso Version: 20190131 WARNING!! Known compatible version of Plaso NOT detected. Attempting to use default parser list. Try using the --no_dependencies_check if Plaso dependancies are the issue. Using parser: datt Number of cpu cores to use: 4 Destination Folder: /home/david/CASE-DEVICE Attempting to extract source file: /home/david/CASE-DEVICE.zip Unable to extract file: /home/david/CASE-DEVICE.zip 'ascii' codec can't encode character '\u2310' in position 135: ordinal not in range(128)

orlikoski commented 5 years ago

Looks like there is an issue with the python unzip library and not an issue with CDQR coding itself. Recommend users unzip manually files that affected by the issue with python while how to get around it is researched

orlikoski commented 5 years ago

@davidrudduck does the zip file get unzipped correctly by unzip or other tools?

davidrudduck commented 5 years ago

@orlikoski yes, unzip worked fine.

my CyLR collection list is a lot longer than the defaults so it's possible that one of the files I collect is unicode encoded and causing grief to the python based unzip library.

orlikoski commented 5 years ago

Definitely good to know and this issue getting documented will help others who have run into the same problem as well as a solution to it. If it becomes a major issue we can research other options than the python zip library

jhill-cmd commented 5 years ago

Just encountered the same issue with the docker version. Didn't understand how to solve it ?

user:/$ ./cdqr in:laptop out:Results_laptop -p win -z --max_cpu
Assigning CDQR to the host network
The Docker network can be changed by modifying the "DOCKER_NETWORK" environment variable
Example (default Skadi mode): export DOCKER_NETWORK=host
Example (use other Docker network): export DOCKER_NETWORK=skadi-backend
docker run  --network host  -v /home/user/tools/laptop/:/home/user/tools/laptop/ -v /home/user/tools/Results_laptop:/home/user/tools/Results_laptop aorlikoski/cdqr:5.0.0 -y /home/user/tools/laptop/ /home/user/tools/Results_laptop -z --max_cpu
CDQR Version: 5.0
Plaso Version: 20190331
Using parser: win
Number of cpu cores to use: 4
Destination Folder: /home/user/tools/Results_laptop
Attempting to extract source file: /home/user/tools/laptop
Unable to extract file: /home/user/tools/laptop
[Errno 21] Is a directory: '/home/user/tools/laptop'