Comments (3)
msuhanov
commented on June 12, 2024
Hello.
I'm the author of the yarp library. Based on the screenshot you posted, it seems there is an issue with an input file, not with the library.
Can you upload a sample hive file (including transaction log files) to investigate the problem?
What tool did you use to copy these files? Are they from a running (live) system?
from kuiper.
nyrm-f
commented on June 12, 2024
hello @msuhanov ,
Thanks for the reply. I unfortunately cannot share the sample hive file. I used velociraptor to copy the file.
yes it did come from a live system.
is it perhaps how YARP was implemented?
Not sure if it was clear in my second screenshot, but I was able to get regipy to parse out the same hive that YARP was unable to.
I'm no expert when it comes to parsers, but since I was able to parse the hive with regipy and not YARP thats what make me think it was YARP.
What do you think?
Thanks
from kuiper.
msuhanov
commented on June 12, 2024
but I was able to get regipy to parse out the same hive that YARP was unable to
There is a format violation within the file. A tool can refuse to parse the file, or report the violation and parse what it can, or silently ignore the violation and extract as much data as possible (this is also limited to the implementation, which can extract less data than expected by the user).
The yarp-print tool can handle damaged and truncated primary files if no related transaction log files are available (or when the --no-recovery argument is given). This allows the tool to handle carved or otherwise damaged primary files. But if transaction log files are available (and the --no-recovery argument is not given), it is assumed (by the tool) that the damage can be repaired by replaying the log.
It is unclear what happened in your case. Velociraptor had at least one issue that could result in damaged files being produced.
I'm no expert when it comes to parsers, but since I was able to parse the hive with regipy and not YARP thats what make me think it was YARP.
Can you run the yarp-print tool manually against the file in question? (I recommend using the latest version.)
yarp-print --deleted NTUSER.DAT # Should produce the same error as reported.
yarp-print --deleted --no-recovery NTUSER.DAT # Things may work well here.
(Under the Windows operating system, execute "set PYTHONIOENCODING=utf-8" in the same cmd session before running the tool.)
from kuiper.
Related Issues (20)
- Search fails when selecting time range HOT 6
- Kuiper modifies meaning of parsed data (quoting) HOT 2
- KAPE: Error extracting the archive content: compression type 9 (deflate64) HOT 1
- ZIP files generated in Windows (e.g. 7-zip) are not processed properly HOT 1
- IIS Access Logs Parser failed because of 'utf8' codec HOT 2
- "Powershell_Execution" rule does not catch "-encodedcommand" HOT 2
- Security Vulnerability Report: Open Redirect in Login HOT 1
- After installing v2.3.5 - still v2.3.4 displayed HOT 1
- Raw file removal code commented in recent commit HOT 4
- Search broken on large shard/index HOT 1
- v2.3.3 Issue: kuiper_flask is constantly restarting and does not start on HOT 2
- Tag multiple rows HOT 2
- Defender Detection History Parser HOT 1
- Celery and Flask restarting-loop HOT 2
- future to add .tar to be upload HOT 2
- Worker exited prematurely: signal 9 (SIGKILL) Job: 3. HOT 1
- When are you going to adopt Python 3? HOT 3
- ZIP files not uploading HOT 1
- Authentication Feature HOT 4
- JumpList and Browser_History Parsing ERROR HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kuiper.