Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

timeliner.Timeliner body file is incompatible with log2timeline #542

Closed
BeanBagKing opened this issue Jul 26, 2021 · 2 comments · Fixed by #623
Closed

timeliner.Timeliner body file is incompatible with log2timeline #542

BeanBagKing opened this issue Jul 26, 2021 · 2 comments · Fixed by #623
Assignees

Comments

@BeanBagKing
Copy link

BeanBagKing commented Jul 26, 2021

Describe the bug
The body file created by the timeliner.Timeliner Volatility3 plugin is incompatible with Plaso's "log2timeline.py --parsers="mactime"". This parser seems to expect all (or at least most) columns to have data in them.

Context
Volatility Version: 1.0.1
Operating System: Ubuntu 20.04 (WSL2)
Python Version: Python 3.8.10
Suspected Operating System: Windows 10
Command: python3 vol.py -f physical-memory.img timeliner.Timeliner --create-bodyfile

To Reproduce
Steps to reproduce the behavior:

  1. Dump memory and disk (e.g. raw or e01) from a system
  2. Use vol.py to create a body file with the memory, e.g. "python3 vol.py -f physical-memory.img timeliner.Timeliner --create-bodyfile"
  3. Use log2timeline.py to create a plaso file, e.g. "log2timeline.py plaso.dump diskimage.raw"
  4. Note the total number of events (not event sources) in the plaso.dump file, "pinfo.py plaso.dump"
  5. Attempt to combine the plaso.dump file and the volatility body file, e.g. "log2timeline.py --parsers="mactime" plaso.dump volatility.body"
  6. Run "pinfo.py plaso.dump" again and note that the total number of events does not change.

Edit the volatility.body file and add something (such as a 0) into every empty field, e.g.

|PsList - Process: 343 services.exe (902309408234)|||||||||1627261200

becomes

0|PsList - Process: 343 services.exe (902309408234)|0|0|0|0|0|0|0|0|1627261200

and attempt lines 4-6 in the steps to reproduce above. Note that this time the total events increases as expected.

Expected behavior
The plaso.dump total events increases by the number of events in the volatility body file.

Screenshots
n/a

Additional information
I'm not aware of any RFC/specification for what columns are required and which are optional in the body file. However, the example provided by Sluthkit (albeit v2) does have all fields completed with some form of apparent placeholder in "empty" fields (note the 0 in the MD5 column here: https://wiki.sleuthkit.org/index.php?title=Body_file)

With that in mind, I'm not positive if Volatility3 is violating any specification by not including mandatory rows, or if log2timeline is not following specification by refusing to ingest body files that don't contain optional rows. Based on what I can find though, I think it would be best if Volatility adjusted their output.

@ikelos
Copy link
Member

ikelos commented Jul 26, 2021

Thanks, I'll let our resident bodyfile expert make the call on this one. 5:) @gleeda , over to you...

@kevthehermit
Copy link
Contributor

Can confirm that the output is not compatible with log2timeline with 0 events being detected

plaso - log2timeline version 20211229

Source path		: /home/thehermit/volatility.body
Source type		: single file
Processing time		: 00:00:00

Identifier      PID     Status          Memory          Sources         Events          File
Main            213325  running         92.4 MiB        0 (0)           0 (0)           OS: /home/thehermit/volatility.body

Modified timeliner.py to pad with 0 values instead of being blank and events are now detected

plaso - log2timeline version 20211229

Source path		:/home/thehermit/volatility.body
Source type		: single file
Processing time		: 00:00:03

Identifier      PID     Status          Memory          Sources         Events          File
Main            213717  completed       126.8 MiB       1 (0)           48661 (8578)    OS:/home/thehermit/volatility.body

Processing completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants