Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when running Exchange.Windows.Forensics.Jumplists_JLECmd #3409

Open
SamFicic opened this issue Apr 11, 2024 · 1 comment
Open

Error when running Exchange.Windows.Forensics.Jumplists_JLECmd #3409

SamFicic opened this issue Apr 11, 2024 · 1 comment

Comments

@SamFicic
Copy link

Hello

I'm currently using velociraptor-v0.7.1-1 and noticed that there is an error when using the artifact Exchange.Windows.Forensics.Jumplists_JLECmd. The error does not seem to be an issue as results are still returned.

The following error is logged and repeated several times.

2024-04-11T13:51:11Z ERROR Symbol TargetSequenceNumber not found. Current Scope is [NULL], [_SessionId, $responder, sourceFile, localPath, arguments, dateAfter, dateBefore, Tool_JLECmd_HASH, Tool_JLECmd_FILENAME, Tool_JLECmd_URL, $cache, $device_manager, config, $acl, $uploader, Artifact, $root], [precondition_Exchange_Windows_Forensics_Jumplists_JLECmd_0], [jlecmdpackage], [tmpdir], [payload], [deploy], [Exchange_Windows_Forensics_Jumplists_JLECmd_0_4], [$Query], [SourceFile, SourceCreated, SourceModified, SourceAccessed, AppId, AppIdDescription, HasSps, DestListVersion, LastUsedEntryNumber, MRU, EntryNumber, CreationTime, LastModified, Hostname, MacAddress, Path, InteractionCount, PinStatus, FileBirthDroid, FileDroid, VolumeBirthDroid, VolumeDroid, TargetCreated, TargetModified, TargetAccessed, FileSize, RelativePath, WorkingDirectory, FileAttributes, HeaderFlags, DriveType, VolumeSerialNumber, VolumeLabel, LocalPath, CommonPath, TargetIDAbsolutePath, TargetMFTEntryNumber, TargetMFTSequenceNumber, MachineID, MachineMACAddress, TrackerCreatedOn, ExtraBlocksPresent, Arguments, Notes]

Please let me know if you need any further info.

Thanks
Sam
@scudette
Copy link
Contributor

That artifact parses the output from JLECmd and it is possible that the tool has changed its output or it omits certain columns in some cases.

Exchange artifacts are generally not well tested and we dont maintain them as part of this repository.

The problematic VQL is this

SELECT SourceFile, SourceCreated, SourceModified, LocalPath, Arguments, 
      TargetCreated, TargetModified, VolumeLabel, DriveType, AppIdDescription, CommonPath,  
      VolumeSerialNumber, MachineID, MachineMACAddress, TargetMFTEntryNumber, TargetSequenceNumber, 
      TargetIDAbsolutePath, TrackerCreatedOn, ExtraBlocksPresent, HeaderFlags,FileAttributes, FileSize
      FROM parse_csv(filename=tmpdir + "jlecmd" + "\\results_AutomaticDestinations.csv")

The error just means there is no column called TargetSequenceNumber in the csv output. You can ignore the error (it will return NULL) but VQL is telling you about it in case this is a typo or something.

In this case we dont know in advance what the tool will do so we can either do

SELECT *
FROM parse_csv(filename=tmpdir + "jlecmd" + "\\results_AutomaticDestinations.csv")

Or if you are sure the tool does not emit this column any more you can remove that column

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scudette @SamFicic