Shellbags timestamps not parsed with --multi-timestamp

Question

Shellbags timestamps not parsed with --multi-timestamp

Closed this issue a year ago · 2 comments

I noticed when working with the shellbags function in particular that sometimes the regf_modification_time timestamp does not get placed into the "ts" field after piping to rdump and using the --multi-timestamp option:

 target-query -f shellbags SysInternalsCase.E01 | rdump --multi-timestamp
[reading from stdin]
2023-11-28T18:57:42.553407Z [error    ] Unable to import dissect.target.plugins.filesystem.yara [dissect.target.plugin]
2023-11-28T18:57:43.092907Z [warning  ] <Target SysInternalsCase.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=42947575808 vs=None> [dissect.target.target]
<windows/shellbag ts=None ts_description='creation_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=None ts_description='modification_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=None ts_description='access_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>
<windows/shellbag ts=2022-11-15 21:18:53.308392+00:00 ts_description='regf_modification_time' hostname='MSEDGEWIN10' domain=None path='My Computer' creation_time=None modification_time=None access_time=None regf_modification_time=2022-11-15 21:18:53.308392+00:00 regf_hive_path='C:/Users/IEUser/AppData/Local/Microsoft/Windows/usrclass.dat' regf_key_path='Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU' username='IEUser' user_id='S-1-5-21-321011808-3761883066-353627080-1000' user_group=None user_home='C:\\Users\\IEUser'>

This has unfortunate effects when seeking to select events using the r.ts field, as it is None.
Thanks in advance!

Answer 1 · 2023-11-28T19:15:11.000Z

Here's the source data I'm using, as .jsonl
windows_shellbag.zip

Answer 2 · 2023-11-28T19:17:54.000Z

Never mind, this is an rdump issue. Sorry!