search

williballenthin / EVTXtract

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
Apache License 2.0
189 stars 22 forks source link

error in reconstruct_lost_records.py #7

Closed gleeda closed 8 years ago

gleeda commented 9 years ago

had a small issue:

2015-06-08 15:02:25,804 WARNING root Flushing the existing template file
due to exception.
2015-06-08 15:02:25,849 WARNING root Flushing the existing state file
due to exception.
Traceback (most recent call last):
  File "reconstruct_lost_records.py", line 69, in main
    num_reconstructed, num_unreconstructed =
reconstruct_lost_records(state, templates,
progress_class=args.progress_class)
  File "reconstruct_lost_records.py", line 42, in reconstruct_lost_records
    eid = lost_record["substitutions"][3][1]
IndexError: list index out of range
Traceback (most recent call last):
  File "reconstruct_lost_records.py", line 75, in <module>
    main()
  File "reconstruct_lost_records.py", line 69, in main
    num_reconstructed, num_unreconstructed =
reconstruct_lost_records(state, templates,
progress_class=args.progress_class)
  File "reconstruct_lost_records.py", line 42, in reconstruct_lost_records
    eid = lost_record["substitutions"][3][1]
hiddenillusion commented 8 years ago

Ran into this as well when running against a memory dump. If I print lost_record I see substitutions is empty:

{u'record_num': 2645699865130, u'timestamp': u'1601-01-01T00:00:00.060631Z', u'substitutions': [], u'offset': 1475128368}

One workaround would be to do a simple test on lost_record.get("substitutions") prior to assigning eid

williballenthin commented 8 years ago

I've attempted to fix this issue in a commit. Would you pull the latest code and let me know how it works? Thanks for the suggested fix!

hiddenillusion commented 8 years ago

the fix created another issue:

Traceback (most recent call last):
  File "reconstruct_lost_records.py", line 74, in main
    num_reconstructed, num_unreconstructed = reconstruct_lost_records(state, templates, progress_class=args.progress_class)
  File "reconstruct_lost_records.py", line 43, in reconstruct_lost_records
    if len(subs) < 4:
UnboundLocalError: local variable 'subs' referenced before assignment
Traceback (most recent call last):
  File "reconstruct_lost_records.py", line 80, in <module>
    main()
  File "reconstruct_lost_records.py", line 74, in main
    num_reconstructed, num_unreconstructed = reconstruct_lost_records(state, templates, progress_class=args.progress_class)
  File "reconstruct_lost_records.py", line 43, in reconstruct_lost_records
    if len(subs) < 4:
UnboundLocalError: local variable 'subs' referenced before assignment

I believe you meant to check the length of raw_subs instead of subs in https://github.com/williballenthin/EVTXtract/blob/master/reconstruct_lost_records.py#L43

If I change the code to that, it works as expected with your initial fix.

williballenthin commented 8 years ago

thanks, fix commited!

gleeda commented 8 years ago

very cool, thanks!