libyal / libscca Goto Github PK

Hy,

I think the implementation of the SCCA 2008 hash algorithm like it is described in the documentation (section 5.3) doesn't work as expected. I tested the function with the path of the cmd.exe. The System is a Windows 10 Pro (Build 19041) machine.

• path of the cmd.exe: C:\Windows\System32\cmd.exe
• upper-case Windows device path: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CMD.EXE
• hash value, determined with the algorithm like it is described in the documentation: DD237864
• hash value, described in the filename and in the prefetch file it self: 4A81B364

I think this happens because step 3 of section 5.4. isn't currently implemented.

3. Convert the string into an UTF-16 little-endian stream without a byte-order-mark or an end-of-string character (2x 0-bytes)

The ord() function used to transform a character to an integer returns the Unicode and not the UTF-16LE value of the character. This is the reason for the wrong hash value, that is returned by the function.

I change the function in the following way and it seems that it works:

def scca_2008_hash_function(filename):
    """ Calculates the prefetch hash value with the SCCA 2008 hash algorithm
    
    :param filename: upper-case Windows device path
    :type filename: str 
    """
    filename = filename.encode("UTF-16LE")
    hash_value = 314159
    filename_index = 0
    filename_length = len(filename)
    while filename_index + 8 < filename_length:
        character_value = filename[filename_index + 1] * 37
        character_value += filename[filename_index + 2]
        character_value *= 37
        character_value += filename[filename_index + 3]
        character_value *= 37
        character_value += filename[filename_index + 4]
        character_value *= 37
        character_value += filename[filename_index + 5]
        character_value *= 37
        character_value += filename[filename_index + 6]
        character_value *= 37
        character_value += filename[filename_index] * 442596621
        character_value += filename[filename_index + 7]
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
        filename_index += 8

    while filename_index < filename_length:
        hash_value = (((37 * hash_value) + filename[filename_index]) % 0x100000000)
        filename_index += 1

    return hash_value

Have a nice day.:D

How to convert VOLUME{%%} to a DOS path

• Create Python bindings
• Update README
• Update wiki

• move documentation to asciidoc
• update documentation with Windows 10 prefetch information
• update libscca with Windows 10 prefetch support
  • handle multi block compressed files (partial) - some edge cases in the huffman compression that need to be handled correctly libyal/libfwnt#3

I want to use class file_metrics().
How to use it in Python3?

class file() has open() method but class file_metrics() has not open() method.
How to analyze specific prefetch file?

If possible, please write sample code...

Greetings--

Thank you for your work on libscca - getting libscca-python uploaded to PyPI is a really nice touch.

I'm not sure if you're taking merge requests for Wiki documentation, but I took the liberty of cloning my own copy of libscca's Wiki and updating the Development.md page. It's my understanding that GitHub doesn't offer the normal 'pull' functionality for Wiki pages, which is a shame.

Anyway, my changes can be seen here

I used the PyPI repository to build pyscca locally, and would be interested in updating the building Wiki to reflect that process if you are open to assistance with the docs.

Hope this helps.

Adam

Thanks for the libraries. I have successfully used liblnk, but am running into an issue when trying to use libscca.

I can successfully call the libscca_file_initialize() function.
When I call the libscca_file_open(obj, filepath, flags, error) my program just hangs.
when i kill it with ctrl+c and then bt the gdb session, I get the following:

0x00007ffff7e9fde1 in libcdata_internal_array_clear () from /usr/lib/libewf.so.2
(gdb) bt
#0 0x00007ffff7e9fde1 in libcdata_internal_array_clear () from /usr/lib/libewf.so.2
#1 0x00007ffff7e9ff47 in libcdata_array_empty () from /usr/lib/libewf.so.2
#2 0x00007ffff7ef46f4 in libfvalue_value_append_entry_data () from /usr/lib/libewf.so.2
#3 0x00007ffff7ef7dbc in libfvalue_value_type_set_data_strings_array () from /usr/lib/libewf.so.2
#4 0x00007ffff7551db2 in libscca_io_handle_read_volumes_information (io_handle=, uncompressed_data_stream=, file_io_handle=, volumes_information_offset=,
volumes_information_size=1006, number_of_volumes=1, volumes_array=0x555556074490, error=0x7fffffffd178) at libscca_io_handle.c:1906
#5 0x00007ffff754e1e9 in libscca_file_open_read (internal_file=internal_file@entry=0x55555612bff0, file_io_handle=file_io_handle@entry=0x555556074590, error=error@entry=0x7fffffffd178) at libscca_file.c:1305
#6 0x00007ffff754e408 in libscca_file_open_file_io_handle (file=file@entry=0x55555612bff0, file_io_handle=0x555556074590, access_flags=access_flags@entry=1, error=error@entry=0x7fffffffd178) at libscca_file.c:728
#7 0x00007ffff754e5e2 in libscca_file_open (file=0x55555612bff0, filename=0x555555de1680 "/tmp/wombatforensics/tmpfiles/e0-v0-p0-f12585-a7737-fhex", access_flags=1, error=0x7fffffffd178) at libscca_file.c:447

I am pointing the file_open() to a const char string for the path to the prefetch file. the content is there and is a prefetch file with the correct signature and content. I am following the same basic process as liblnk, so I'm not sure why the file open for libscca isn't working. Thanks for any assistance you can provide

Just linking this issue Velocidex/go-prefetch#4 which also seems to affect libscca.

I have reattached the problematic file.
DOWNLOADER.EXE-CAE991BA.pf.zip

I only tested with pyscca version from pip (pip install libscca-python) maybe it is fixed in the latest version?

hi Joachim,

to perfect/uniform libscca, I just noticed that the file path had changed between the last two versions of libscca at this date (eg. Filename: 1 : \VOLUME{...}\WINDOWS\... became Filename: 1 : \\VOLUME{...}\\WINDOWS\\...) but that the volume path had remained on its simple slash version (eg. Device path : \VOLUME{...})

thanks for this lib, regards, lacsaP.

Hello,

I followed the building instructions from https://github.com/libyal/libscca/wiki/Building#using-macos-pkgbuild and successfully built the libs as well as pkg/dmg files.

If I want to install it, however, I get the following error:

Are there any further steps that I missed apart from the ones described in the building manual? Or might it be due to an architecture (ARM) incompatibility?

Device: MacBook Pro (2021, M1 Max)
OS: MacOS Sonoma (14.3.1)

Best regards,
Jannik

Hello,

We're using libscca in our tool to generate bodyfile-based timelines (https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md). For this purpose we wrote Rust bindings for (a part of) the libscca-API, which are currently integral part of dfir-toolkit (https://github.com/dfir-dd/dfir-toolkit/tree/main/src/scca).

I can imagine that other rust developers also would like to use libscca. Do you have interest of integrating the Rust bindings in your library? That could be a separate crate.

Kind regards, Jan