Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add-x, --recover-records option #952

Closed
YamatoSecurity opened this issue Mar 3, 2023 · 5 comments · Fixed by #1147
Closed

Add-x, --recover-records option #952

YamatoSecurity opened this issue Mar 3, 2023 · 5 comments · Fixed by #1147
Assignees
@hitenkoku
Labels
enhancement New feature or request
Milestone
v2.8.0

Comments

@YamatoSecurity
Copy link
Collaborator

There is a PR that tries to recover more event records here: https://github.com/forensicmatt/evtx/tree/feature/parse-empty-pages
I would like to create a branch in the hayabusa-evtx repository and create an option --recover-records in Hayabusa that will try to recover records. I am not sure if data will be corrupted, etc.. so this needs testing.
@YamatoSecurity YamatoSecurity added the enhancement New feature or request label Mar 3, 2023
@hitenkoku hitenkoku mentioned this issue Mar 4, 2023
Closed
@hitenkoku
Copy link
Collaborator

This issue must be updated in hayabusa-evtx. I have created a similar issue in hayabusa-evtx

@hitenkoku hitenkoku self-assigned this Mar 12, 2023
@hitenkoku hitenkoku added this to the v2.4.0 milestone Mar 18, 2023
@YamatoSecurity YamatoSecurity modified the milestones: v2.4.0, v2.5.0 Apr 8, 2023
@YamatoSecurity YamatoSecurity modified the milestones: v2.5.0, v2.6.0 May 3, 2023
@YamatoSecurity YamatoSecurity modified the milestones: v2.6.0, v2.7.0, v2.8.0 May 30, 2023
hitenkoku added a commit that referenced this issue Jul 29, 2023
@hitenkoku
feat(main): enabled recover record option in hayabusa-evtx crate #952
c765b94
@hitenkoku
Copy link
Collaborator

@YamatoSecurity I checked in https://github.com/Yamato-Security/hayabusa/tree/952-test-on-whether-to-add-recover-records-option

I tested file in evtx repository ( https://github.com/forensicmatt/evtx/blob/feature/parse-empty-pages/samples/Microsoft-Windows-WorkFolders%254WHC.evtx )

In the main branch, 0 cases were detected due to broken records, but we confirmed that 2 cases can be detected with this modification.

  • main branch
./main.exe csv-timeline -f ..\Microsoft-Windows-WorkFolders-WHC.evtx 
...
Total event log files: 1
Total file size: 69.6 KB

Loading detections rules. Please wait.

Excluded rules: 31
Noisy rules: 12 (Disabled)

Deprecated rules: 165 (6.84%) (Disabled)
Experimental rules: 1269 (52.61%)
Stable rules: 196 (8.13%)
Test rules: 947 (39.26%)
Unsupported rules: 45 (1.87%) (Disabled)

Hayabusa rules: 159
Sigma rules: 2253
Total enabled detection rules: 2412

Output profile: standard

Scanning in progress. Please wait.

1 / 1   [========================================] 100% 0s

"..\\Microsoft-Windows-WorkFolders-WHC.evtx"



Results Summary:

Events with hits / Total events: 0 / 0 (Data reduction: 0 events (0.00%))

Total | Unique detections: 0 | 0
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)
...
Elapsed time: 00:00:02.289

.\952.exe csv-timeline -f ..\Microsoft-Windows-WorkFolders-WHC.evtx 

> .\952.exe csv-timeline -f ..\Microsoft-Windows-WorkFolders-WHC.evtx  -q
...
Total event log files: 1
Total file size: 69.6 KB

Loading detections rules. Please wait.

Excluded rules: 31
Noisy rules: 12 (Disabled)

Deprecated rules: 165 (6.84%) (Disabled)
Experimental rules: 1269 (52.61%)
Stable rules: 196 (8.13%)
Test rules: 947 (39.26%)
Unsupported rules: 45 (1.87%) (Disabled)

Hayabusa rules: 159
Sigma rules: 2253
Total enabled detection rules: 2412

Output profile: standard

Scanning in progress. Please wait.

[00:00:00] 1 / 1   [========================================] 100%                                                                                                                            
                                                                                                                                                                                              
Scanning finished. Please wait while the results are being saved.




Results Summary:

Events with hits / Total events: 0 / 2 (Data reduction: 2 events (100.00%))

Total | Unique detections: 0 | 0
Total | Unique critical detections: 0 (0.00%) | 0 (0.00%)
Total | Unique high detections: 0 (0.00%) | 0 (0.00%)
Total | Unique medium detections: 0 (0.00%) | 0 (0.00%)
Total | Unique low detections: 0 (0.00%) | 0 (0.00%)
Total | Unique informational detections: 0 (0.00%) | 0 (0.00%)

...

Elapsed time: 00:00:01.753

@YamatoSecurity
Copy link
Collaborator Author

@hitenkoku Oh great! Thanks so much. I will do some testing with this.

@hitenkoku hitenkoku linked a pull request Jul 30, 2023 that will close this issue
enabled recover record option in hayabusa-evtx crate #952 #1147
Merged
@hitenkoku hitenkoku mentioned this issue Jul 30, 2023
Merged
hitenkoku added a commit that referenced this issue Jul 30, 2023
@hitenkoku
fix(selectionnodes): fixed unwrap data error #952
95af61b
@YamatoSecurity
Copy link
Collaborator Author

@hitenkoku Is it possible to tell if a record was recovered from the empty pages or not? That is, I would like to count the number of recovered records.
For example, output Recovered records: 500

Also, is there a way to turn it on and off. For example, we can enable or disable it by default and have an option to turn on or off if it is causing problems.

hitenkoku added a commit that referenced this issue Aug 4, 2023
@hitenkoku
feat(main/configs): added recover-record option to recover empty page #…
eb61d51 
…952
hitenkoku added a commit that referenced this issue Aug 4, 2023
@hitenkoku
feat(main/afterfact/configs): added output recovered record count #952
44d2084
@hitenkoku hitenkoku mentioned this issue Aug 4, 2023
Merged
hitenkoku added a commit that referenced this issue Aug 4, 2023
@hitenkoku
refactor: changed recover-record option with recover-records option a…
7afd41d 
…nd refactoring #952
@hitenkoku
Copy link
Collaborator

@YamatoSecurity The fix has been completed and can be implemented only when the --recover-records option is used.

The hayabusa-evtx repository needed to be modified, please check Yamato-Security/hayabusa-evtx#34 to see if this has been done.

I will update hayabusa submodule when hayabusa-evtx pull request is complete.

image

hitenkoku added a commit that referenced this issue Aug 6, 2023
@hitenkoku
fix(main): fixed error when record_result is none #952
d6dad87
hitenkoku added a commit that referenced this issue Aug 7, 2023
@hitenkoku
Merge pull request #1147 from Yamato-Security/952-test-on-whether-to-…
5afd1d4 
…add-recover-records-option

enabled recover record option in hayabusa-evtx crate #952
@YamatoSecurity YamatoSecurity changed the title Test on whether to add --recover-records option Add-x, --recover-records option Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hitenkoku hitenkoku

Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.8.0
Development

Successfully merging a pull request may close this issue.

enabled recover record option in hayabusa-evtx crate #952 Yamato-Security/hayabusa
2 participants
@hitenkoku @YamatoSecurity