crowdstrike / forensics Goto Github PK

Hello,

Thank you for this great tool. I am trying to run it to collect activity logs for a user but I get the following error:

HTTP 403: AppId: "32613fc5-e7ac-4894-ac94-fbc39c9f3e4a" is not allowed.

This AppId seems to be associated with the Outlook Dev Center - OAuth Sandbox. I have granted my user the required permissions using the Add-MailboxPermission command.

from ual-analyzer and ual-analyzer/plugins
packages cannot initialize.

I was able to run this back in June without issue, but now I am getting this error when running:
python retriever.py --user [email protected] --output activities.csv --token

toke was generated from account that has fullaccess permissions to victim mailbox.

hello
the bat file not working. where is splunk app?

Got an exception when running coreAnalyticsParser.py as sudo on local disk on macOS 10.13.
[+] Found 4 .core_analytics files to parse. [+] Found 3 aggregate files to parse. Traceback (most recent call last): File "/Users/research/Desktop/coreanalyticsparser.py", line 231, in <module> CoreAnalyticsParser() File "/Users/research/Desktop/coreanalyticsparser.py", line 183, in CoreAnalyticsParser data_lines = json.loads(data) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/__init__.py", line 338, in loads return _default_decoder.decode(s) File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/json/decoder.py", line 369, in decode raise ValueError(errmsg("Extra data", s, end, len(s))) ValueError: Extra data: line 2 column 1 - line 3 column 1 (char 17 - 2243)

Please add me as contributor

Greetings.

Suggest updating line 55 in sysmon_parse.cmd to include ID 8, added to Sysmon on 20 JUL 2015 to identify CreateRemoteThread events.
Suggested change as follows:
tools\logparser\logparser -i:evt -o:csv "Select RecordNumber,TO_UTCTIME(TimeGenerated),EventID,SourceName,ComputerName,SID,Strings from %src% WHERE EventID in ('1';'2';'3';'4';'5';'6';'7';'8')" > Results_%dtstamp%\sysmon_parsed.txt

Cheers.

Retrieving activities................Traceback (most recent call last):
  File "retriever.py", line 109, in <module>
    writer.writerow(vars(activity))
  File "C:\Python\Python36-32\lib\csv.py", line 155, in writerow
    return self.writer.writerow(self._dict_to_list(rowdict))
  File "C:\Python\Python36-32\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode characters in position 732-733: character maps to <undefined>

I've fixed this by adding encoding='utf8' to line 95, but I'm not sure that this isn't better handled as a command-line switch. Also, as you seem to be python 2 compatible, it needs handling for that too.

I receive the following error occasionally.

Traceback (most recent call last):
File "C:\Users\REDACTED\Documents\ForensicTools\UAL analyzer\Forensics-master\ual-analyzer\ual-analyzer.py", line 30, in
for row in reader:
File "C:\Users\REDACTED\AppData\Local\Programs\Python\Python37-32\lib\csv.py", line 112, in next
row = next(self.reader)
File "C:\Users\REDACTED\AppData\Local\Programs\Python\Python37-32\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8d in position 6691: character maps to

Please add a license

SIFT uses "vol.py", not "volatility", as the executable. Similarly, the path to bulk_extractor differs.

I am getting the following errors while executing. I have made changes in the script for line 97 to 100 since the .core_analytics files are now located in the Retired folder of Diagnostic Reports.

Changes:

if args.disk:
analytics_location = glob.glob('/Library/Logs/DiagnosticReports/Retired/.core_analytics')
elif args.input and not args.input.endswith('.core_analytics'):
analytics_location = glob.glob(args.input+'/Retired/.core_analytics')

Error:

[+] Found 42 .core_analytics files to parse.
Traceback (most recent call last):
File "CoreAnalyticsParser.py", line 231, in
CoreAnalyticsParser()
File "CoreAnalyticsParser.py", line 123, in CoreAnalyticsParser
i.startswith("{"timestamp":")][0]['timestamp']
IndexError: list index out of range

It appears as though all functionality from the O365-Outlook-Activities utility has been removed by Microsoft.

Is this tool still being developed or is it dead?

Hello!

I am currently operating on Mac OS 10.13.6. The .core_analytics files are now located in the Retired folder of Diagnostic Reports. I have implemented the following changes to lines 97-100:

if args.disk:
     analytics_location = glob.glob('/Library/Logs/DiagnosticReports/Retired/*.core_analytics')
elif args.input and not args.input.endswith('.core_analytics'):
     analytics_location = glob.glob(args.input+'/Retired/*.core_analytics')

Both the change from 'Analytics' to 'Retired' and the addition of the forward slash after 'Retired' are necessary to allow the program to properly access the .core_analytics files.

I would recommend adding additional checks to determine if the .core_analytics files are found in Retired or a way to check the system's OS and adjust the file path accordingly.