Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I use/troubleshoot BrowserHistory artifact collection filter? #4752

Open
erinshore66 opened this issue Nov 4, 2023 · 6 comments
Open

How do I use/troubleshoot BrowserHistory artifact collection filter? #4752

erinshore66 opened this issue Nov 4, 2023 · 6 comments
Assignees
@joachimmetz
Labels
needs closer look Issue that requires further analysis by a maintainer question

Comments

@erinshore66
Copy link

Describe the problem:

When I run log2timeline with BrowserHistory artifact I dont get any results nor do I see any error.

To Reproduce:

Plaso Version: Latest: 20230717
OS Version; Ubuntu 22.04.3 LTS (Fresh install)
Source data: base-rd-04-cdrive.E01 from FOR508
Installation Method: I installed plaso with the recommendations of the official documentation (add universe; add ppa; and apt install plaso-tools).

Steps to reproduce:

Run log2timeline with BrowserHistory artifact on base-rd-04 image from FOR508 with this command:

Command output:

$ log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file hist.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01

2023-11-04 10:37:27,516 [INFO] (MainProcess) PID:24890 <data_location> Determined data location: /usr/share/plaso
2023-11-04 10:37:27,526 [INFO] (MainProcess) PID:24890 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
Checking availability and versions of dependencies.
[OPTIONAL]      unable to determine version information for: flor
[OK]
Source path             : /mnt/hgfs/imgs/base-rd-04-cdrive.E01
Source type             : storage media image
Artifact filters        : BrowserHistory
Processing time         : 00:00:00

Processing started.

Log Output:

2023-11-04 10:37:29,290 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Starting preprocessing.
2023-11-04 10:37:29,325 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: DetermineOperatingSystemPlugin with artifact definition: N/A
2023-11-04 10:37:29,700 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxHostnamePlugin with artifact definition: LinuxHostnameFile
2023-11-04 10:37:29,705 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxDistributionPlugin with artifact definition: LinuxDistributionRelease
2023-11-04 10:37:29,730 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxIssueFilePlugin with artifact definition: LinuxIssueFile
2023-11-04 10:37:29,739 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxStandardBaseReleasePlugin with artifact definition: LinuxLSBRelease
2023-11-04 10:37:29,743 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxSystemdOperatingSystemPlugin with artifact definition: LinuxSystemdOSRelease
2023-11-04 10:37:29,751 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxTimeZonePlugin with artifact definition: LinuxLocalTime
2023-11-04 10:37:29,756 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: LinuxUserAccountsPlugin with artifact definition: LinuxPasswdFile
2023-11-04 10:37:29,760 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSHostnamePlugin with artifact definition: MacOSSystemConfigurationPreferencesPlistFile
2023-11-04 10:37:29,765 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSKeyboardLayoutPlugin with artifact definition: MacOSKeyboardLayoutPlistFile
2023-11-04 10:37:29,769 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSSystemVersionPlugin with artifact definition: MacOSSystemVersionPlistFile
2023-11-04 10:37:29,774 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSTimeZonePlugin with artifact definition: MacOSLocalTime
2023-11-04 10:37:29,783 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: MacOSUserAccountsPlugin with artifact definition: MacOSUserPasswordHashesPlistFiles
2023-11-04 10:37:29,791 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: WindowsSystemRootEnvironmentVariablePlugin with artifact definition: WindowsEnvironmentVariableSystemRoot
2023-11-04 10:37:29,795 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: systemroot to: "\Windows"
2023-11-04 10:37:29,808 [DEBUG] (MainProcess) PID:24890 <manager> Running file system preprocessor plugin: WindowsWinDirEnvironmentVariablePlugin with artifact definition: WindowsEnvironmentVariableWinDir
2023-11-04 10:37:29,812 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: windir to: "\Windows"
2023-11-04 10:37:29,825 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsAvailableTimeZones
2023-11-04 10:37:33,058 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsCodePage
2023-11-04 10:37:33,398 [DEBUG] (MainProcess) PID:24890 <mediator> setting code page to: "cp1252"
2023-11-04 10:37:33,408 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsComputerName
2023-11-04 10:37:33,750 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsCurrentVersion
2023-11-04 10:37:34,090 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableAllUsersProfile
2023-11-04 10:37:34,437 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramData
2023-11-04 10:37:34,766 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programdata to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:34,768 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramFiles
2023-11-04 10:37:35,087 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programfiles to: "C:\Program Files"
2023-11-04 10:37:35,089 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEnvironmentVariableProgramFilesX86
2023-11-04 10:37:35,420 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: programfilesx86 to: "C:\Program Files (x86)"
2023-11-04 10:37:35,421 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEventLogPublishers
2023-11-04 10:37:38,977 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsEventLogSources
2023-11-04 10:37:41,136 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsLanguage
2023-11-04 10:37:41,479 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsMountedDevices
2023-11-04 10:37:41,808 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsProductName
2023-11-04 10:37:42,151 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsRegistryProfiles
2023-11-04 10:37:42,486 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: systemprofile
2023-11-04 10:37:42,488 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: LocalService
2023-11-04 10:37:42,489 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: NetworkService
2023-11-04 10:37:42,491 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: Administrator.BASE-RD-04
2023-11-04 10:37:42,492 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: nromanoff
2023-11-04 10:37:42,494 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: rsydow-a
2023-11-04 10:37:42,495 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: cbarton-a
2023-11-04 10:37:42,496 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: spsql
2023-11-04 10:37:42,498 [DEBUG] (MainProcess) PID:24890 <mediator> adding user account: administrator.shieldbase
2023-11-04 10:37:42,500 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsServices
2023-11-04 10:37:45,577 [DEBUG] (MainProcess) PID:24890 <manager> Running Windows Registry preprocessor plugin: WindowsTimezone
2023-11-04 10:37:46,241 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsAllUsersAppDataKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: allusersappdata to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsAllUsersAppProfileKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <mediator> setting environment variable: allusersprofile to: "%SystemDrive%\ProgramData"
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <manager> Running knowledge base preprocessor plugin: WindowsProgramDataKnowledgeBasePlugin
2023-11-04 10:37:46,242 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Preprocessing done.
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <extraction_tool> Parser filter expression set to: binary_cookies,chrome_cache,chrome_preferences,esedb/msie_webcache,firefox_cache,java_idx,msiecf,opera_global,opera_typed_history,plist/safari_history,sqlite/chrome_17_cookies,sqlite/chrome_27_history,sqlite/chrome_66_cookies,sqlite/chrome_8_history,sqlite/chrome_autofill,sqlite/chrome_extension_activity,sqlite/firefox_10_cookies,sqlite/firefox_2_cookies,sqlite/firefox_downloads,sqlite/firefox_history,sqlite/safari_historydb
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <engine> building find specification based on artifacts: BrowserHistory
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from artifact definition: BrowserHistory
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path glob: %%users.homedir%%/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: %systemroot%\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from expanded path: \Windows\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal
2023-11-04 10:37:46,243 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "\Windows\system32\config\systemprofile/Library/Application Support/Chromium/*/History-journal"
.......
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\administrator.shieldbase\Local Settings\Application Data\Microsoft\Windows\History\Low\History.IE5\index.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path glob: %%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from expanded path: \Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\WINDOWS\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,356 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\Administrator.BASE-RD-04\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,356 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\Administrator.BASE-RD-04\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
..........
2023-11-04 10:37:46,513 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\Administrator.BASE-RD-04\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,513 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\cbarton-a\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\cbarton-a\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\spsql\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\spsql\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,514 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\administrator.shieldbase\Application Data\Apple Computer\Safari\History.plist
2023-11-04 10:37:46,514 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\administrator.shieldbase\Application Data\Apple Computer\Safari\History.plist"
2023-11-04 10:37:46,629 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> Creating socket for main_task_queue
2023-11-04 10:37:46,630 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue bound to random port 39937
2023-11-04 10:37:46,630 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue responder thread started
2023-11-04 10:37:46,631 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Starting worker process Worker_00
2023-11-04 10:37:46,739 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Starting worker process Worker_01
2023-11-04 10:37:48,588 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Task scheduler started
2023-11-04 10:37:48,588 [DEBUG] (MainProcess) PID:24890 <task_manager> Checking for pending tasks
2023-11-04 10:37:48,589 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Task scheduler stopped
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Stopping extraction processes.
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Stopped monitoring process: Worker_00 (PID: 24894)
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Stopped monitoring process: Worker_01 (PID: 24898)
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Emptying task queue.
2023-11-04 10:37:48,872 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_00 (PID: 24894).
2023-11-04 10:37:48,873 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sending item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sent item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sending item
2023-11-04 10:37:48,874 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue sent item
2023-11-04 10:37:53,881 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_01 (PID: 24898).
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_01 (PID: 24898) stopped.
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> main_task_queue queue closing, will linger for up to 0 seconds
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_00 (PID: 24894).
2023-11-04 10:37:54,385 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_00 (PID: 24894) stopped.
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <engine> Waiting for process: Worker_01 (PID: 24898).
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <engine> Process Worker_01 (PID: 24898) stopped.
2023-11-04 10:37:54,386 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> [main_task_queue] Waiting for thread to exit.
2023-11-04 10:37:54,877 [INFO] (MainProcess) PID:24890 <zeromq_queue> Queue main_task_queue responder exiting.
2023-11-04 10:37:54,877 [DEBUG] (MainProcess) PID:24890 <zeromq_queue> [main_task_queue] Waiting for thread to exit.
2023-11-04 10:37:54,877 [DEBUG] (MainProcess) PID:24890 <extraction_engine> Processing completed.

Then I ran psort in this way and no results found:

$ psort.py -o l2tcsv -w history.csv hist.db
2023-11-04 11:08:00,815 [INFO] (MainProcess) PID:24931 <data_location> Determined data location: /usr/share/plaso
WARNING: the output format: l2tcsv has significant limitations such as second-
only date and time values and/or a limited predefined set of output fields. It
is strongly recommend to use an alternative output format like: dynamic.

Waiting for 15 second to give you time to cancel.
plaso - psort version 20230717

Storage file            : hist.db
Processing time         : 00:00:00
$ cat history.csv
date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc,version,filename,inode,notes,format,extra

The same happens if I run with docker.

Expected Behavior
Get browser history from an image
@joachimmetz
Copy link
Member

  • what format hist.db ?
  • is log2timeline.py able to determine the variables used in the artifact definition?

@joachimmetz joachimmetz changed the title Problems with BrowserHistory How do I use/troubleshoot BrowserHistory artifact collection filter? Nov 4, 2023
@erinshore66
Copy link
Author

erinshore66 commented Nov 4, 2023
edited

  • what format hist.db ?
    sqlite -- 20230327
$ pinfo.py hist.db

************************** Plaso Storage Information ***************************
            Filename : hist.db
      Format version : 20230327
Serialization format : json
  • is log2timeline.py able to determine the variables used in the artifact definition?
    I dont know how to answer this. I dont think so. It happens with all %%users.*%% variables
    For example: WindowsUserRegistryFiles

@joachimmetz
Copy link
Member

I dont know how to answer this. I dont think so. It happens with all %%users.*%% variables

what do the debug logs tell you or the user accounts in the hist.db database ?

Also see: https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html

@erinshore66
Copy link
Author

First at all, thank you very much for your help.

what do the debug logs tell you or the user accounts in the hist.db database ?

The hist.db doesnt have any events:

$ pinfo.py hist.db
************************** Plaso Storage Information ***************************
            Filename : hist.db
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------
*********************************** Sessions ***********************************
d962f0e8-627f-44dc-9436-9803034faf74 : 2023-11-04T10:37:28.546754+00:00
--------------------------------------------------------------------------------
******************************** Event sources *********************************
Total : 0
--------------------------------------------------------------------------------
No events stored.
No events labels stored.
No warnings stored.
No analysis reports stored.

I see in the logs lines like these:

2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"
2023-11-04 10:37:46,357 [DEBUG] (MainProcess) PID:24890 <artifact_filters> building find spec from path: C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
2023-11-04 10:37:46,357 [WARNING] (MainProcess) PID:24890 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\rsydow-a\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat"

I have been testing and if I change in the artifact definitions the %%users.*%% variables to the corresponding \Users\*\AppData.... , it works.
I have changed InternetExplorerHistory (ONLY InternetExplorerHistory) paths in /usr/share/artifacts/webbrowser.yaml:

Snippet:

....
    - '%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat'
   To:
    - '\Users\*\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat'

Then I ran log2timeline again with the BrowserHistory artifact

$ log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file history.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01

This way the warnings disappear and I get the Internet Explorer history.

$ pinfo.py history.db

************************** Plaso Storage Information ***************************
            Filename : history.db
      Format version : 20230327
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
f87fe762-2b36-47a3-824e-f40ee8cc2d32 : 2023-11-04T19:01:55.014016+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 4
--------------------------------------------------------------------------------

************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
       msie_webcache : 2995
               Total : 2995
--------------------------------------------------------------------------------

No events labels stored.

******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
 esedb/msie_webcache : 6
--------------------------------------------------------------------------------

************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
                 3 : type: OS, location: /mnt/hgfs/imgs/base-rd-04-cdrive.E01
                   : type: EWF
                   : type: NTFS, location:
                     \Users\administrator.shieldbase\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat,
                     MFT attribute: 2, MFT entry: 6867
                 3 : type: OS, location: /mnt/hgfs/imgs/base-rd-04-cdrive.E01
                   : type: EWF
                   : type: NTFS, location:
                     \Users\nromanoff\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat,
                     MFT attribute: 2, MFT entry: 12178
--------------------------------------------------------------------------------

No analysis reports stored.

Should I change all %%users.*%% variables in the artifact yamls and set absolute paths avoiding these user variables?
Or use custom artifacts??

Thank you very much again.

@joachimmetz joachimmetz self-assigned this Nov 6, 2023
@joachimmetz joachimmetz added the needs closer look Issue that requires further analysis by a maintainer label Nov 6, 2023
@joachimmetz
Copy link
Member

I'll have a closer look when time permits.

@erinshore66
Copy link
Author

erinshore66 commented Feb 11, 2024
edited

Hi again!
I have been testing the new version to see if this behavior with user variables persisted and I have confirmed that it does.

I have been debugging in the artifact_filters.py file and the _BuildFindSpecsFromFileSourcePath function. with two artifact filters that are a clear example of the observed behavior.

  • WindowsSystemRegistryFiles
  • WindowsUserRegistryFiles

The function is:

  def _BuildFindSpecsFromFileSourcePath(
      self, source_path, path_separator, environment_variables, user_accounts):
    """Builds find specifications from a file source type.

    Args:
      source_path (str): file system path defined by the source.
      path_separator (str): file system path segment separator.
      environment_variables (list[EnvironmentVariableArtifact]):
          environment variables.
      user_accounts (list[UserAccountArtifact]): user accounts.

    Returns:
      list[dfvfs.FindSpec]: find specifications for the file source type.
    """
    find_specs = []
    for path_glob in path_helper.PathHelper.ExpandGlobStars(
        source_path, path_separator):
      logger.debug('building find spec from path glob: {0:s}'.format(
          path_glob))

      for path in path_helper.PathHelper.ExpandUsersVariablePath(
          path_glob, path_separator, user_accounts):
        logger.debug('building find spec from path: {0:s}'.format(path))

        if '%' in path:
          path = path_helper.PathHelper.ExpandWindowsPath(
              path, environment_variables)
          logger.debug('building find spec from expanded path: {0:s}'.format(
              path))

        if not path.startswith(path_separator):
          logger.warning((
              'The path filter must be defined as an absolute path: '
              '"{0:s}"').format(path))
          continue

        try:
          find_spec = dfvfs_file_system_searcher.FindSpec(
              case_sensitive=False, location_glob=path,
              location_separator=path_separator)
        except ValueError as exception:
          logger.error((
              'Unable to build find specification for path: "{0:s}" with '
              'error: {1!s}').format(path, exception))
          continue

        find_specs.append(find_spec)

    return find_specs

The WindowsSystemRegistryFiles filter does everything as expected.
System variables like %%environ_systemroot%% are translated correctly and the _BuildFindSpecsFromFileSourcePath function gets the correct path this way:

2024-02-11 12:40:43,680 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from path glob: %%environ_systemroot%%\System32\config\SYSTEM
2024-02-11 12:40:43,681 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from path: %%environ_systemroot%%\System32\config\SYSTEM
2024-02-11 12:40:43,681 [DEBUG] (MainProcess) PID:84266 <artifact_filters> building find spec from expanded path: \Windows\System32\config\SYSTEM

The returned path starts with "\" so it continues the execution and gets the right path.

With WindowsUserRegistryFiles and the user variables %%user.*%% the returned path starts with "C:" and not with the path_separator "\" so it enters this if:

 if not path.startswith(path_separator):
          logger.warning((
              'The path filter must be defined as an absolute path: '
              '"{0:s}"').format(path))
          continue

And returns the warning we can see in the logs:

2024-02-11 12:44:50,602 [DEBUG] (MainProcess) PID:84295 <artifact_filters> building find spec from path: C:\Users\nromanoff\NTUSER.DAT
2024-02-11 12:44:50,602 [WARNING] (MainProcess) PID:84295 <artifact_filters> The path filter must be defined as an absolute path: "C:\Users\nromanoff\NTUSER.DAT"

And is never saved in the variable find_spec because of the continue command in the previous if.

try:
          find_spec = dfvfs_file_system_searcher.FindSpec(
              case_sensitive=False, location_glob=path,
              location_separator=path_separator)

Now, we add a new if to remove "C:" string from the returned path

if path.startswith("C:"):
          path = path[2:]
          logger.debug(('ROBI REMOVES STRING C: '
              '"{0:s}"').format(path))

This time the path starts with the expected path_separator "\" and the execution continues:

2024-02-11 13:02:28,607 [DEBUG] (MainProcess) PID:84369 <artifact_filters> building find spec from path: C:\Users\nromanoff\NTUSER.DAT
2024-02-11 13:02:28,607 [DEBUG] (MainProcess) PID:84369 <artifact_filters> ROBI REMOVES STRING C: "\Users\nromanoff\NTUSER.DAT"

And it works! Let's try the original command that I opened this issue with. If I run the BrowserHistory again it works perfectly:

log2timeline.py -d --parsers webhist --artifact_filters BrowserHistory --vss_store=none --storage_file hist.db /mnt/hgfs/imgs/base-rd-04-cdrive.E01
psort.py -o l2tcsv -w hist.csv hist.db

I get back what I expected:

.....
12/05/2018,14:50:11,UTC,....,WEBHIST,MSIE WebCache container record,Expiration Time,-,BASE-RD-04,URL: Visited: spsql@https://login.live.com/oauth20_authorize.srf?client_id=00...,URL: ........
12/10/2018,01:54:52,UTC,....,WEBHIST,MSIE WebCache container record,Expiration Time,-,BASE-RD-04,URL: Visited: nromanoff@https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=...,URL: Visit..
.....

I don't know if this change may have an impact on other Plaso capabilities. I am not a Python expert.
I hope this can help. Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
needs closer look Issue that requires further analysis by a maintainer question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joachimmetz @erinshore66