An error and a path change

[odinian]

Hello, first off thanks for this code.
On my Mac (BigSur, OneDrive for Business), the path to the logs file is
~/Library/Containers/com.microsoft.OneDrive-mac/Data/Library/Logs
You might want to note that in the readme.

I copied the Logs/Business1 folder to the desktop and renamed it testing and ran
python3 odl.py -o ~/Desktop/odl_output.csv ~/Desktop/testing

and I get this:

Traceback (most recent call last):
  File "odl.py", line 50, in <module>
    from construct import *
ModuleNotFoundError: No module named 'construct'

Any ideas?

[odinian]

Oops, I installed
construct
Crypto

but even after installing Crypto, I get

Successfully installed Crypto-1.4.1 Naked-0.1.32 certifi-2022.9.24 charset-normalizer-2.1.1 idna-3.4 pyyaml-6.0 requests-2.28.1 shellescape-3.8.1 urllib3-1.26.12
WARNING: You are using pip version 20.2.3; however, version 22.3.1 is available.
You should consider upgrading via the '/Applications/Xcode.app/Contents/Developer/usr/bin/python3 -m pip install --upgrade pip' command.
allan OneDrive % python3 odl.py -o ~/Desktop/odl_output.csv ~/Desktop/testing
Traceback (most recent call last):
  File "odl.py", line 52, in <module>
    from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'

allan@ OneDrive % pip3 install Crypto                                    
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: Crypto in /Users/allan/Library/Python/3.8/lib/python/site-packages (1.4.1)
Requirement already satisfied: shellescape in /Users/allan/Library/Python/3.8/lib/python/site-packages (from Crypto) (3.8.1)
Requirement already satisfied: Naked in /Users/allan/Library/Python/3.8/lib/python/site-packages (from Crypto) (0.1.32)
Requirement already satisfied: requests in /Users/allan/Library/Python/3.8/lib/python/site-packages (from Naked->Crypto) (2.28.1)
Requirement already satisfied: pyyaml in /Users/allan/Library/Python/3.8/lib/python/site-packages (from Naked->Crypto) (6.0)
Requirement already satisfied: charset-normalizer<3,>=2 in /Users/allan/Library/Python/3.8/lib/python/site-packages (from requests->Naked->Crypto) (2.1.1)
Requirement already satisfied: idna<4,>=2.5 in /Users/allan/Library/Python/3.8/lib/python/site-packages (from requests->Naked->Crypto) (3.4)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /Users/allan/Library/Python/3.8/lib/python/site-packages (from requests->Naked->Crypto) (1.26.12)
Requirement already satisfied: certifi>=2017.4.17 in /Users/allan/Library/Python/3.8/lib/python/site-packages (from requests->Naked->Crypto) (2022.9.24)

Could this be a capitalization issue? I believe the module on disk is all lowercase

I also uninstalled Crypto and installed it with sudo. same error.

[ydkhatri]

Hmm, try installing a virtual environment (venv).

…

On Sat, Nov 12, 2022, 2:30 AM odinian ***@***.***> wrote: Oops, I installed construct Crypto but even after installing Crypto, I get Successfully installed Crypto-1.4.1 Naked-0.1.32 certifi-2022.9.24 charset-normalizer-2.1.1 idna-3.4 pyyaml-6.0 requests-2.28.1 shellescape-3.8.1 urllib3-1.26.12 WARNING: You are using pip version 20.2.3; however, version 22.3.1 is available. You should consider upgrading via the '/Applications/Xcode.app/Contents/Developer/usr/bin/python3 -m pip install --upgrade pip' command. ***@***.*** OneDrive % python3 odl.py -o ~/Desktop/odl_output.csv ~/Desktop/testing Traceback (most recent call last): File "odl.py", line 52, in <module> from Crypto.Cipher import AES ModuleNotFoundError: No module named 'Crypto' — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADFCHUF5NAXTSXGHDK5QFHDWHZRAZANCNFSM6AAAAAAR5WJGMM> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ydkhatri]

Hmm, try installing a virtual environment (venv).

On macOS, you can do this as shown below.

% ls
LICENSE		README.md	odl.py

% python3 -m venv env
% cd env
% source bin/activate
env % pip install construct pycryptodome
Collecting construct
  Downloading construct-2.10.68.tar.gz (57 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 57.9/57.9 KB 1.6 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting pycryptodome
  Downloading pycryptodome-3.15.0-cp35-abi3-macosx_10_9_x86_64.whl (1.6 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.6/1.6 MB 5.8 MB/s eta 0:00:00
...snipped...

env % python3 ../odl.py -h
usage: odl.py [-h] [-o OUTPUT_PATH] [-s OBFUSCATIONSTRINGMAP_PATH] [-k] [-d] odl_folder

OneDrive Log (ODL) reader

positional arguments:
  odl_folder            Path to folder with .odl files

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_PATH, --output_path OUTPUT_PATH
                        Output file name and path
  -s OBFUSCATIONSTRINGMAP_PATH, --obfuscationstringmap_path OBFUSCATIONSTRINGMAP_PATH
                        Path to ObfuscationStringMap.txt (if not in odl_folder)
  -k, --all_key_values  For repeated keys in ObfuscationMap, get all values | delimited (off by default)
  -d, --all_data        Show all data (off by default)

(c) 2021 Yogesh Khatri,  @swiftforensics
This script will read OneDrive sync logs. These logs are produced by OneDrive, 
and are stored in a binary format having the extensions .odl .odlgz .oldsent .aold

Sometimes the ObfuscationMap stores old and new values of Keys. By default, only 
the latest value is fetched. Use -k option to get all possible values (values will 
be | delimited). 

By default, irrelevant functions and/or those with empty parameters are not displayed.
This can be toggled with the -d option.

[odinian]

pip3 install construct pycryptodome

seemed to be the issue. Once I ran that, the script worked.