Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in the artifact filter (using groups) #2291

Closed
kiddinn opened this issue Dec 28, 2018 · 8 comments
Closed

Bug in the artifact filter (using groups) #2291

kiddinn opened this issue Dec 28, 2018 · 8 comments
Assignees
@Onager
Milestone
2019 March Release

Comments

@kiddinn
Copy link
Member

kiddinn commented Dec 28, 2018

Description of problem:

Tried to extract only browser history from an image using the artifact group filters.... instead of ending up with a plaso file filled with browser history I got an error and the tool died before producing any output.

Command line and arguments:

(using the XP tdungan image from SANS as an example)

$ log2timeline.py --artifact_filters BrowserHistory hist.plaso xp-tdungan-c-drive.E01

2018-12-28 02:41:07,407 [INFO] (MainProcess) PID:224349 <data_location> Determined data location: /usr/lib/python2.7/dist-packages
2018-12-28 02:41:07,407 [INFO] (MainProcess) PID:224349 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
2018-12-28 02:41:08,863 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.userprofile%%\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat"
2018-12-28 02:41:08,863 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\WebCache\WebCacheV*.dat"
2018-12-28 02:41:08,863 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Microsoft\Windows\IEDownloadHistory\index.dat"
2018-12-28 02:41:08,863 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat"
2018-12-28 02:41:08,863 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\History\History.IE5\index.dat"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\*\index.dat"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\History\History.IE5\*\index.dat"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\History\Low\History.IE5\index.dat"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Chromium\User Data\*\History"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome\User Data\*\Archived History"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome SxS\User Data\*\History"
2018-12-28 02:41:08,864 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Chromium\User Data\*\Archived History"
2018-12-28 02:41:08,865 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome\User Data\*\History"
2018-12-28 02:41:08,865 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Apple Computer\Safari\History.plist"
2018-12-28 02:41:08,865 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Apple Computer\Safari\History.plist"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Apple Computer\Safari\Downloads.plist"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Apple Computer\Safari\Downloads.plist"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Opera Software\Opera Stable\History"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Opera\Opera\global_history.dat"
2018-12-28 02:41:08,866 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Chromium\User Data\*\History"
2018-12-28 02:41:08,867 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome\User Data\*\Archived History"
2018-12-28 02:41:08,867 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome SxS\User Data\*\Archived History"
2018-12-28 02:41:08,867 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome SxS\User Data\*\History"
2018-12-28 02:41:08,867 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Chromium\User Data\*\Archived History"
2018-12-28 02:41:08,867 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Google\Chrome\User Data\*\History"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Apple Computer\Safari\History.plist"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Apple Computer\Safari\History.plist"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Mozilla\Firefox\Profiles\*\places.sqlite"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Mozilla\Firefox\Profiles\*\places.sqlite"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.localappdata%%\Apple Computer\Safari\Downloads.plist"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Apple Computer\Safari\Downloads.plist"
2018-12-28 02:41:08,868 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Opera Software\Opera Stable\History"
2018-12-28 02:41:08,869 [WARNING] (MainProcess) PID:224349 <artifact_filters> The path filter must be defined as an absolute path: "%%users.appdata%%\Opera\Opera\global_history.dat"
Checking availability and versions of dependencies.
[OK]
Source path     : <REDACTED>/xp-tdungan-c-drive.E01
Source type     : single file
Artifact filters        : [u'BrowserHistory']
Processing time : 00:00:00

Processing started.
Traceback (most recent call last):
  File "/usr/bin/log2timeline.py", line 68, in <module>
    if not Main():
  File "/usr/bin/log2timeline.py", line 54, in Main
    tool.ExtractEventsFromSources()
  File "/usr/lib/python2.7/dist-packages/plaso/cli/log2timeline_tool.py", line 426, in ExtractEventsFromSources
    self._filter_file)
  File "/usr/lib/python2.7/dist-packages/plaso/engine/engine.py", line 333, in BuildFilterFindSpecs
    'Error processing filters, no valid specifications built.')
RuntimeError: Error processing filters, no valid specifications built.
Please provide the command with arguments you ran when you experienced
the problem.

Source data:

The XP tdungan image provided by SANS for the 508 class.

Plaso version:

Latest released version (not head)... 20181219

Operating system Plaso is running on:

Linux, good ol' fashion Debian GNU/Linux

Installation method:

Using apt-get from GIFT PPA
@jnettesheim
Copy link
Contributor

I'll take a look at this one.

@jnettesheim jnettesheim self-assigned this Jan 5, 2019
@Onager Onager added this to the 2019 January Release milestone Jan 17, 2019
@Onager
Copy link
Contributor

Onager commented Jan 21, 2019

I'm taking a look at this as well.

@Onager Onager self-assigned this Jan 21, 2019
@Onager
Copy link
Contributor

Onager commented Jan 23, 2019

self._artifacts is modifying while iterating over it here:

plaso/plaso/engine/artifact_filters.py

Line 126 in e7fcf76

self._artifacts.remove(name)

and here:

plaso/plaso/engine/artifact_filters.py

Line 128 in e7fcf76

self._artifacts.append(name_entry)

Which is one part of the problem.

Also, lists are converted to sets in artifact_filters.py, so the processing order is non-deterministic.

Onager added a commit to Onager/plaso that referenced this issue Jan 25, 2019
@Onager
Refactored artifact group support log2timeline#2291
59e7cbc
Onager added a commit to Onager/plaso that referenced this issue Jan 27, 2019
@Onager
Refactored artifact group support log2timeline#2291
a78a03d
Onager added a commit to Onager/plaso that referenced this issue Jan 27, 2019
@Onager
Refactored artifact group support log2timeline#2291
f0de756
@Onager
Copy link
Contributor

Onager commented Jan 27, 2019

Unfortunately, BrowserHistory on Windows relies on Plaso being able to expand the %%users.appdata%% variable, which it currently can't do. This in turn relies on dfwinreg supporting the HKEY_USERS key: which is also a work in progress.

#2310 will clean up the error message, and address some other issues in artifact group support, but not completely resolve this issue.

joachimmetz pushed a commit that referenced this issue Jan 28, 2019
@Onager @joachimmetz
Clean up and improvements to artifact group support #2291 #2016 #2017 (
0e96ae8 
…#2310)
@joachimmetz
Copy link
Member

@Onager I assume this issue has been addressed, reopen if not the case

@Onager
Copy link
Contributor

Onager commented Feb 1, 2019

Still not addressed, log2timeline/dfwinreg#73 is blocking full resolution of this.

@Onager Onager reopened this Feb 1, 2019
@Onager Onager added the blocked Work cannot progress until another issue is resolved label Feb 1, 2019
@joachimmetz
Copy link
Member

joachimmetz commented Feb 2, 2019
edited

@Onager can you be a bit more detailed about what still needs to be addressed for the artifact groups?

For other related artifacts support issues I've created:

@joachimmetz joachimmetz removed the blocked Work cannot progress until another issue is resolved label Feb 2, 2019
@Onager
Copy link
Contributor

Onager commented Mar 31, 2019

This looks to be resolved now that the other artifacts changes are merged.

@Onager Onager closed this as completed Mar 31, 2019
joachimmetz pushed a commit that referenced this issue Jun 28, 2019
@Onager @joachimmetz
Clean up and improvements to artifact group support #2291 #2016 #2017 (
e0e6b7e 
…#2310)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Onager Onager

Labels
None yet
Projects
None yet
Milestone
2019 March Release
Development

No branches or pull requests
4 participants
@Onager @jnettesheim @joachimmetz @kiddinn