markbaggett / srum-dump Goto Github PK

Could you add an output path like there is in srum_dump? This will be helpful for adding a module to KAPE.

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue.
Error :
Finished!

And I get this when I use the small template:

Traceback (most recent call last):
File "", line 347, in
AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

Does SRUM_dump2.exe only retrieve the last 30 days of records?
I have a SRUDB.dat where I can see much older artifacts of interest in ASCII/HEX view, but SRUM_dump2 doesn't seem to retrieve any info about this. The events of interest occurred 3 years before the last event in SRUDB.dat

Hi,

When runnnig srum_dump2.exe on a Windows 10 machine I get the following error:

File "srum_dump2.py", line 563, in <module>
  if regsids:
NameError: name 'regsids' is not defined.

Any idea of what's going wrong?

By default WSL has no GUI so tkinker cannot be installed or load
Was able to bypass and run successfully with the "-q" switch by commenting out the line
"import PySimpleGUI as sg"

So perhaps this is more of a feature request than a bug.

command:
python srum_dump2.py -q -i /mnt/c/temp/SRUDB.dat -t SRUM_TEMPLATE2.xlsx -o /mnt/c/temp/sru1.xlsx

error:
Traceback (most recent call last):
File "srum_dump2.py", line 19, in
import PySimpleGUI as sg
File "/usr/local/lib/python3.8/dist-packages/PySimpleGUI/init.py", line 2, in
from .PySimpleGUI import *
File "/usr/local/lib/python3.8/dist-packages/PySimpleGUI/PySimpleGUI.py", line 136, in
import tkinter as tk
ModuleNotFoundError: No module named 'tkinter'

the xlsx option produces data on each line, but the CSV option outputs data, and then a blank line. see picture

I was given an example of a SRUM.DAT file that I am unable to process. (Thank you Martin WIlling!) While processing the file the tool produces the following output:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
I was unable to write the output file.  Do you have an old version open?  If not this is probably a path or permissions issue.
Error :
Finished!

The first line "Unable to find table ..." isn't a problem. This is just a warning that indicates that the SRUM file you are analyzing doesn't contain that table. No big deal. The next line "I was unable to write the output file..." is a problem. In this case the error is not caused by permissions or the path as the error message indicates. The problem is that the system is running out of Memory. Unfortunately MemoryErrors can not be always be caught in Python (See docs https://docs.python.org/2/library/exceptions.html#exceptions.MemoryError ) so the error message returned by the program isn't at all helpful. Usually after the word "ERROR:" you would see what the error is. If NOTHING appears after the word "ERROR:" then you are probably having the same issue. When I run this through the debugger I can clearly see that it is a memory error...

Creating Sheet Energy Usage
While you wait, did you know ...
This program was written by Twitter:@markbaggett and @donaldjwilliam5 because @ovie said so.

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}
> c:\host\documents\pythonprojects\srum\srum-dump\srum_dump.py(365)<module>()
-> firstsheet=target_wb.get_sheet_by_name("Sheet")
(Pdb)
(Pdb) target_wb.save(".\\outtest.xlsx")
***** MemoryError:**
(Pdb)

There were some recent changes to openpyxl in dealing with memory usage and large spreadsheets. The current release was using openpyxl (2.4.7). This is an open issue that I will have to resolve. I'm working on it now.

The link to Yogesh Khatri's PDF seems to be broken. I believe it can now be found here: https://digital-forensics.sans.org/summit-archives/file/summit-archive-1492184583.pdf

Dear Mark,

When i run srum-dump on Windows 11 i got exception:

Registry.Registry.RegistryKeyNotFoundException: Registry key not found: ROOT\Microsoft\WlanSvc\Interfaces{9973590D-191A-42BB-A2C9-63981C0BD659}\Profiles{9D178DC5-2D6A-40AD-836C-B76801191869}\MetaData [19916] Failed to execute script 'srum_dump2' due to unhandled exception!

Hi Mark, I gave this a try on my Mac using Python 2.7.15 and openpyxl 2.6.1 and ran into some errors related to openpyxl. Here is the first error it generated:

Traceback (most recent call last):
File "srum_dump.py", line 8, in
from openpyxl.writer.write_only import WriteOnlyCell
ImportError: No module named write_only

Which I got around by changing the import to:

from openpyxl.cell import WriteOnlyCell

After that I received this error:

Traceback (most recent call last):
File "srum_dump.py", line 285, in
ese_template_table = template_sheet.cell("A1").value
TypeError: cell() takes at least 3 arguments (2 given)

Which I got around by changing the line to:

ese_template_table = template_sheet["A1"].value

I have no idea if it still works as intended though.

@MarkBaggett, this is a great tool! I do most of my analysis in MacOs or Linux, so my preference was to use your raw python script. Unfortunately, I'm getting the following openpyxl (using version 2.4.1) error:

Traceback (most recent call last):
  File "./srum_dump.py", line 327, in <module>
    cell_style = template_sheet.cell(row = 4, column = eachcolumn).style
AttributeError: 'ReadOnlyCell' object has no attribute 'style'

It appears (in this version anyway) that the ReadOnlyCell class has different properties than the standard Cell class. Simply changing your call to openpyxl.load_workbook (line 268) to open the template read-write fixed the issue for me. Not ideal, but provides for a quick fix.

(Also, FYI opening read-write appears to be a fairly safe operation if you don't call wb.save().)

Hi,

As can be seen in the image below, the output of the CSV(in this case the srumNetworkUsage.csv) is returned with the formulas, not with the result. If one wishes to consume the CSV outside of Excel, will not have the result.

I could not open the specified SRUM file. Check your path and file name.
Error : ("Unpacked data doesn't match constant value 'b'0\x00\x03\x00'' should be ''ïÍ«\x89''", 'When unpacking field 'Signature | "ïÍ«\x89 | b"0\x00\x03\x00\x95\x10E\x95\x02\x00\x00\x00\x01\x00\x01\x008\x00\x01\x00\xc8\x01\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00

I get the following error when running srum_dump_csv:

C:\Software\srum-dump>srum_dump_csv
What is the path to the SRUDB.DAT file? (Ex: \image-mount-point\Windows\system32\sru\srudb.dat) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\sru\SRUDB.dat
What XLS Template should I use? (Press enter for the default SRUM_TEMPLATE.XLSX) :
What is the full path of the SOFTWARE registry hive? Usually \image-mount-point\Windows\System32\config\SOFTWARE (or press enter to skip Network resolution) : E:\DFIRNW-19.2\endpoint\windows\vanko-c-drive\vanko-c-drive.CYLR\G\Windows\System32\config\SOFTWARE

Creating CSV for Network Usage
While you wait, did you know ...
Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Finished processing Network Usage. Writing Output File.

Creating CSV for Application Resource Usage
While you wait, did you know ...
To learn how SRUM and other artifacts can enhance your forensics investigations check out SANS Windows Forensics FOR500/408

Finished processing Application Resource Usage. Writing Output File.

Creating CSV for Network Connections
While you wait, did you know ...
This program uses the function BinarySIDtoStringSID from the GRR code base to convert binary data into a user SID and relies heavily on the CoreSecurity Impacket ESE module. This works because of them. Check them out!

Finished processing Network Connections. Writing Output File.

Creating CSV for Push Notification Data
While you wait, did you know ...
Yogesh Khatri's paper at https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/Windows8SRUMForensicsYogeshKhatri.pdf was essential in the creation of this tool.

Finished processing Push Notification Data. Writing Output File.

Creating CSV for Energy Usage (Long Term)
While you wait, did you know ...
By modifying the template file you have control of what ends up in the analyzed results. Try creating an alternate template and passing it with the --XLSX_TEMPLATE option.

Finished processing Energy Usage (Long Term). Writing Output File.

Creating CSV for Energy Usage
While you wait, did you know ...
This program was written by Twitter:@MarkBaggett and @donaldjwilliam5 because @ovie said so.

Finished processing Energy Usage. Writing Output File.

Creating CSV for Undocumented Windows 10 Table
While you wait, did you know ...
Check out SANS Automating Infosec with Python SEC573 to learn to write program like this on your own.

Traceback (most recent call last):
File "srum_dump_csv.py", line 385, in
for ese_row in ese_getnextrow(ese_table):
File "srum_dump_csv.py", line 94, in ese_getnextrow
current_row[reverse_column_lookup[each_column]] = smart_retrieve(ese_table, ese_row_num, each_column)
File "srum_dump_csv.py", line 104, in smart_retrieve
col_data = "" if not col_data else col_data.encode("HEX")
AttributeError: 'bytes' object has no attribute 'encode'
[13228] Failed to execute script srum_dump_csv

C:\Software\srum-dump>

Do you need a copy of the test DB & Software hive, or is the error sufficint?

Thanks
John

It would be nice to resolve the SID prior to outputting the data.

But i hear doing so can be dangerous in PKI situations where UPN is an external namespace (like the DoD). As it generates network traffic but also targets the PDC-E role which is single homed by design. WMI's Win32_UserAccounts sid resolver will hit the PDC-E, so not sure if there is a good way around doing this, or maybe allow as a configurable/opt in option.

Hello,

Thank you for developing this tool. However, as your repository is missing a license file, or any reference to a specific license in the first place, it is strictly speaking forbidden for anybody to use the tool for any purpose besides those outlined in the GitHub Terms of Service (section D.4 - D.7).

GitHub has both excellent instructions and a tool for choosing a license - which conveniently includes details on what it means when you don't choose a license.

You mention that parts of srum-dump originate from GRR's wmi_parser.py, which is licensed under the Apache license 2.0. Without explicit permission given to you, this likely means that srum-dump should be considered a derivative work and licensed under the same terms.

Furthermore, it is my personal understanding that all contributors to the code should agree to license their contributions under the chosen terms.

As the standard disclaimer, I am not a lawyer - I'm just a person who (full disclosure: and whose employer) would like to use this tool.

I suspected no one was using that so I remove it. I was wrong.
Sorry Mark Hallman. I'll fix it when I get back in the office.

Getting the following error when trying to run Srum dump from commandline. Got similar error when running it from the GUI as well. Running as Admin.

Traceback (most recent call last):
File "srum_dump2.py", line 581, in
File "srum_dump2.py", line 316, in process_srum
File "srum_dump2.py", line 316, in
OSError: pyesedb_table_get_number_of_records: unable to retrieve number of records. libcdata_array_get_entry_by_index: invalid entry index value out of bounds. libfdata_vector_get_element_index_at_offset:
unable to retrieve entry: 2 from mapped ranges array. libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x029de000. libesedb_page_tree_read_page: unable to retrieve
page: 10719 at offset: 0x029de000. libesedb_page_tree_read_node: unable to read page: 10719 at offset: 0x029de000. libfdata_btree_read_node: unable to read node at offset: 43900928.
libfdata_btree_read_sub_tree: unable to read node. libfdata_btree_get_number_of_leaf_values: unable to read root node sub tree. libesedb_table_get_number_of_records: unable to retrieve number of leaf
values from table values tree.

When I run the tool against valid files I am getting "not an ese file". Ultimately, I was hoping this tool could help me understand why ESENT is not dumping app name not app description from srudb.dat.

ese-analyst-master\ese-analyst-master> .\ese2csv.exe -p srudb_plugin -l C:\Windows\system32\sru\srudb.dat
Processing File C:\Windows\system32\sru\srudb.dat
Not an ese file. Skipping.
1 files matched the file path criteria specified.

I have tried to extract a SRUDB file by using fget but end up getting this error:

this might sound a stupid error but i am really new to this field.... thanks for helping me.

It looks like there is an error when attempting to write output from srum_dump2.exe

Below is a screenshot of the error message I'm getting. I'm running this with SRUM_TEMPLATE2.xlxs and with the SOFTWARE hive include in the parsing.

I could not open the specified template file /home/tkrabec/srudb/SRUM_TEMPLATE.xlsx. Check your path and file name.
Error : File is not a zip file

Same error windows 10 and Centos.

Hello,

I am using your tool for the first time, I exported the srudb.dat file with ftk imager. But when using the tool I got an error like this:

I will be grateful if you could help me. Thanks in advance.

Error due to line not being indented.

Traceback (most recent call last):
File "srum_dump_csv.py", line 361, in
print("While you wait, did you know ...\n"+ad+"\n")
NameError: name 'ad' is not defined

Traceback (most recent call last):
File "srum_dump.py", line 328, in
print("While you wait, did you know ...\n"+ad+"\n")
NameError: name 'ad' is not defined

Hy Mark,

I'm using srum-dump to analyze SRUDB.dat on Windows 10 (1809)...

For now, all result of User's SID in Application Resource Usage was "None".
I tried it on the multiple SRUDB.dat (exported with FTK Imager) files, with or without template and SOFTWARE hive. There is no error message in cmd...

Any idea why I can't get user's SIDs?

Best regards

I ran srum_dump on a centos machine I use for analysis thats headless and found with srum_dump2 I had issues when running srum_dump2.py -h with the following error: ModuleNotFoundError: No module named 'tkinter'.

Even after installing tkinter, the issue persisted. I ended up commenting out the line: import PySimpleGUI to see help so I could run the switches (I havent run version 2 before).

Running SRUM with all switches applied worked as expected.

I believe this is caused by srum_dump defaulting to GUI with no variables set. I think you should allow "-h|--help" with no variables and then import PySimpleGUI afterwards.

Matt

Hi Mark,
Sorry for using your Github to get a hold of you, but I couldn't find an easy way to get in touch. I have a question regarding the parsing of OLE Timestamps like the ones you parse from the SRUdb. In what format is the actual timestamp when it's processed by your python version of the parser?

I am trying to do pretty much the same thing in a program I'm writing as you did, but I keep getting a struct.unpack error "unpack requires a string argument of length 8".

It's not directly related to your srum-dump, but do you think you can help?

PySimpleGUI==4.11.0 is not available.

Latest PySimpleGUI is 4.34.0 and this gives a missing module error.