libyal / libscca Goto Github PK
View Code? Open in Web Editor NEWLibrary and tools to access the Windows Prefetch File (SCCA) format.
License: GNU Lesser General Public License v3.0
Library and tools to access the Windows Prefetch File (SCCA) format.
License: GNU Lesser General Public License v3.0
libscca is a library to access the Windows Prefetch File (SCCA) format. Project information: * Status: alpha * Licence: LGPLv3+ Planned: * Multi-threading support For more information see: * Project documentation: https://github.com/libyal/libscca/wiki/Home * How to build from source: https://github.com/libyal/libscca/wiki/Building
Hello,
We're using libscca
in our tool to generate bodyfile-based timelines (https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md). For this purpose we wrote Rust bindings for (a part of) the libscca
-API, which are currently integral part of dfir-toolkit
(https://github.com/dfir-dd/dfir-toolkit/tree/main/src/scca).
I can imagine that other rust developers also would like to use libscca
. Do you have interest of integrating the Rust bindings in your library? That could be a separate crate.
Kind regards, Jan
hi Joachim,
to perfect/uniform libscca, I just noticed that the file path had changed between the last two versions of libscca at this date (eg. Filename: 1 : \VOLUME{...}\WINDOWS\...
became Filename: 1 : \\VOLUME{...}\\WINDOWS\\...
) but that the volume path had remained on its simple slash version (eg. Device path : \VOLUME{...}
)
thanks for this lib, regards, lacsaP.
Just linking this issue Velocidex/go-prefetch#4 which also seems to affect libscca.
I have reattached the problematic file.
DOWNLOADER.EXE-CAE991BA.pf.zip
I only tested with pyscca version from pip (pip install libscca-python
) maybe it is fixed in the latest version?
How to convert VOLUME{%%} to a DOS path
Thanks for the libraries. I have successfully used liblnk, but am running into an issue when trying to use libscca.
I can successfully call the libscca_file_initialize() function.
When I call the libscca_file_open(obj, filepath, flags, error) my program just hangs.
when i kill it with ctrl+c and then bt the gdb session, I get the following:
0x00007ffff7e9fde1 in libcdata_internal_array_clear () from /usr/lib/libewf.so.2
(gdb) bt
#0 0x00007ffff7e9fde1 in libcdata_internal_array_clear () from /usr/lib/libewf.so.2
#1 0x00007ffff7e9ff47 in libcdata_array_empty () from /usr/lib/libewf.so.2
#2 0x00007ffff7ef46f4 in libfvalue_value_append_entry_data () from /usr/lib/libewf.so.2
#3 0x00007ffff7ef7dbc in libfvalue_value_type_set_data_strings_array () from /usr/lib/libewf.so.2
#4 0x00007ffff7551db2 in libscca_io_handle_read_volumes_information (io_handle=, uncompressed_data_stream=, file_io_handle=, volumes_information_offset=,
volumes_information_size=1006, number_of_volumes=1, volumes_array=0x555556074490, error=0x7fffffffd178) at libscca_io_handle.c:1906
#5 0x00007ffff754e1e9 in libscca_file_open_read (internal_file=internal_file@entry=0x55555612bff0, file_io_handle=file_io_handle@entry=0x555556074590, error=error@entry=0x7fffffffd178) at libscca_file.c:1305
#6 0x00007ffff754e408 in libscca_file_open_file_io_handle (file=file@entry=0x55555612bff0, file_io_handle=0x555556074590, access_flags=access_flags@entry=1, error=error@entry=0x7fffffffd178) at libscca_file.c:728
#7 0x00007ffff754e5e2 in libscca_file_open (file=0x55555612bff0, filename=0x555555de1680 "/tmp/wombatforensics/tmpfiles/e0-v0-p0-f12585-a7737-fhex", access_flags=1, error=0x7fffffffd178) at libscca_file.c:447
I am pointing the file_open() to a const char string for the path to the prefetch file. the content is there and is a prefetch file with the correct signature and content. I am following the same basic process as liblnk, so I'm not sure why the file open for libscca isn't working. Thanks for any assistance you can provide
Hello,
I followed the building instructions from https://github.com/libyal/libscca/wiki/Building#using-macos-pkgbuild and successfully built the libs as well as pkg/dmg files.
If I want to install it, however, I get the following error:
Are there any further steps that I missed apart from the ones described in the building manual? Or might it be due to an architecture (ARM) incompatibility?
Device: MacBook Pro (2021, M1 Max)
OS: MacOS Sonoma (14.3.1)
Best regards,
Jannik
Greetings--
Thank you for your work on libscca - getting libscca-python uploaded to PyPI is a really nice touch.
I'm not sure if you're taking merge requests for Wiki documentation, but I took the liberty of cloning my own copy of libscca's Wiki and updating the Development.md page. It's my understanding that GitHub doesn't offer the normal 'pull' functionality for Wiki pages, which is a shame.
Anyway, my changes can be seen here
I used the PyPI repository to build pyscca locally, and would be interested in updating the building Wiki to reflect that process if you are open to assistance with the docs.
Hope this helps.
Adam
I want to use class file_metrics()
.
How to use it in Python3?
class file()
has open()
method but class file_metrics()
has not open()
method.
How to analyze specific prefetch file?
If possible, please write sample code...
Hy,
I think the implementation of the SCCA 2008 hash algorithm like it is described in the documentation (section 5.3) doesn't work as expected. I tested the function with the path of the cmd.exe. The System is a Windows 10 Pro (Build 19041) machine.
C:\Windows\System32\cmd.exe
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CMD.EXE
DD237864
4A81B364
I think this happens because step 3 of section 5.4. isn't currently implemented.
- Convert the string into an UTF-16 little-endian stream without a byte-order-mark or an end-of-string character (2x 0-bytes)
The ord()
function used to transform a character to an integer returns the Unicode and not the UTF-16LE value of the character. This is the reason for the wrong hash value, that is returned by the function.
I change the function in the following way and it seems that it works:
def scca_2008_hash_function(filename):
""" Calculates the prefetch hash value with the SCCA 2008 hash algorithm
:param filename: upper-case Windows device path
:type filename: str
"""
filename = filename.encode("UTF-16LE")
hash_value = 314159
filename_index = 0
filename_length = len(filename)
while filename_index + 8 < filename_length:
character_value = filename[filename_index + 1] * 37
character_value += filename[filename_index + 2]
character_value *= 37
character_value += filename[filename_index + 3]
character_value *= 37
character_value += filename[filename_index + 4]
character_value *= 37
character_value += filename[filename_index + 5]
character_value *= 37
character_value += filename[filename_index + 6]
character_value *= 37
character_value += filename[filename_index] * 442596621
character_value += filename[filename_index + 7]
hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
filename_index += 8
while filename_index < filename_length:
hash_value = (((37 * hash_value) + filename[filename_index]) % 0x100000000)
filename_index += 1
return hash_value
Have a nice day.:D
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.