search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
958 stars 219 forks source link

Parse UsnJrnl. #325

Closed MariasStory closed 3 years ago

MariasStory commented 3 years ago

Hi, Can you please parse the UsnJrnl?

lfcnassif commented 3 years ago

Could you point some (ideally) java library with compatible license for integration? If not, some cmd line tool available both on Windows and Linux systems with suitable license? The lesser dependencies of the tool, the better.

Or maybe could you contribute some code? Currently I have other priorities and have no time to implement that from scratch...

kraftdenker commented 3 years ago

I suggest a study of Volatility 's source code, which is capable of parsing this kind of data structure. https://github.com/volatilityfoundation/community/blob/master/CsabaBarta/usnjrnl.py

Happy coding.

Am Di., 24. Nov. 2020 um 10:56 Uhr schrieb Luis Nassif < notifications@github.com>:

Could you point some (ideally) java library with compatible license for integration? If not, some cmd line tool available both on Windows and Linux systems with suitable license? The lesser dependencies of the tool, the better.

Or maybe could you contribute some code? Currently I have other priorities and have no time to implement that from scratch...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sepinf-inc/IPED/issues/325#issuecomment-732987908, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFVAK4VJLYCSKAT6KTXVVFLSRO3O7ANCNFSM4UAYHOAQ .

-- A.M

lfcnassif commented 3 years ago

Hi @kraftdenker,

That is pure GNU GPL v2 licensed, which is incompatible with IPED license (GNU GPL v3 with linking exceptions, authors of usnjrnl.py do not allow any linking exception imho), so I think any derived code could not be integrated.

MariasStory commented 3 years ago

Hi @lfcnassif, This Autopsy plugin should have no licence problems: https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Parse_USNJ/Parse_Usnj.py

It needs to be ported from python and I am not sure how well it works.

I don't have mucht time to invest at the moment, but I'll keep trying to contribute.

lfcnassif commented 3 years ago

That calls parseusn.exe externally, which is ok from a license perspective. But parseusn.py (https://github.com/superponible/DFIR/blob/master/parseusn.py) is MIT licensed, which is also ok.

If anyone is willing to help, I can review the contribution.

hauck-jvsh commented 3 years ago

I can implement this feature if it's not being implemented.

lfcnassif commented 3 years ago

Great @hauck-jvsh! You can derive your code from the script I linked before, because its license is ok. Remember to assign the issue to yourself if/when you start working on it, so we avoid duplicate efforts. Thank you!

hauck-jvsh commented 3 years ago

I think i will implement based on the presentation http://forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf. The format looks simple.

hauck-jvsh commented 3 years ago

Do you think that each entry on UsnJrnl should generate an item?

lfcnassif commented 3 years ago

I think it could generate a single html report with all records, and each record could also be extracted as a subitem of it, so users could correlate them with other event based information on the main table when doing a timeline analysis.

hauck-jvsh commented 3 years ago

Pull Request #360 is waiting for revision.

lfcnassif commented 3 years ago

Thanks @hauck-jvsh will review soon.

lfcnassif commented 3 years ago

closed by #360