Getting errors when I run ParseIR.ps1 due to successful_file_copies.csv not getting created
Closed this issue · 13 comments
Greetings,
I ran the retrieveIR collection using tags -sans_triage.
After I got the results I then tried running the parser but now getting this error
2024/08/19 23:26:30 - [!] Starting Evidence Parsing...
2024/08/19 23:26:30 - [+] Using Configuration: C:\Folder\RetrievIR-release\parsing_config.json
2024/08/19 23:26:30 - [+] Using Evidence Directory: C:\Folder\RetrievIR-release\evidence
2024/08/19 23:26:30 - [+] Reading Configuration Data...
2024/08/19 23:26:30 - [!] Configuration Validated!
2024/08/19 23:26:30 - [!] Reading File Copy CSV: C:\Folder\RetrievIR-release\evidence\successful_file_copies.csv
2024/08/19 23:26:30 - [!] Fatal error parsing file copies CSV!
Then I went to my evidence folder but could not find the successful_file_copies.csv csv being generated. I also looked at your documentation and could not find anything related to troubleshooting this issue or describing a way to get that csv generated after RetreivIR.ps1 runs.
Any help resolving this issue will be very much appreciated.
Did the rest of the results appear to be 'healthy'? Was there actual evidence stored in the expected location? Inside the evidence directory was there a file named 'failed_file_copies.csv'? Just trying to ask some troubleshooting questions here as that is an error I've not experienced before.
"successful_file_copies.csv" should be created if RetrievIR.ps1 runs without any fatal issues and collects files from the target - were there any errors when executing the main script?
I will also look into creating a post-collection generator for this data.
The rest of the collection appeared healthy to me. Also yes I did see evidence in the expected locations.
I saw the following files for example under evidence>Hostname>Network>TCPconnections.csv.
Also there was no failed_file_copies.csv in the evidence directory.
I did not see any errors in the logs when executing the main script. See below the last lines in the logs:
`2024/08/19 23:13:15 - [*] [XXXXXXXXX] Retrieving Output File:\XXXXXXXXX\C$\Windows\temp\retrievir_registry_output_22_40_09.json
2024/08/19 23:13:15 - [*] [XXXXXXXXX] Retrieved Successfully
2024/08/19 23:13:15 - [+] [XXXXXXXXX] Deleting Shadow
2024/08/19 23:13:15 - [!] Done! Evidence Directory: C:\Folder\RetrievIR-release\evidence
`
@snolroy Were you operating against a local or remote computer?
I was operating against a remote computer via EDR
@snolroy Can you elaborate on how exactly it was executed?
Was it packaged as a script and executed 'remotely' (but actually locally) via EDR console after uploading to target device?
Do you see any actual 'files' copied to disk such as the Event Logs at evidence\Windows\EventLogs?
I actually ran it just now locally as well and got the same results as the logs look the same. See below:
2024/08/20 11:54:35 - [*] [XXXXXX] Retrieving Output File: \XXXXXX\C$\Windows\temp\retrievir_registry_output_11_48_49.json
2024/08/20 11:54:35 - [*] [XXXXXX] Retrieved Successfully
2024/08/20 11:54:35 - [+] [XXXXXX] Deleting Shadow
2024/08/20 11:54:35 - [!] Done! Evidence Directory: C:\Users\Username\Downloads\RetrievIR-release\evidence
I do see actual Event logs files copied. See below:
As for how it was ran, it was just ran via powershell using the following exact command in powershell:
C:\Users\Username\Downloads\RetrievIR-release\RetrievIR.ps1 -tags "sans_triage"
Ok - I just tested the version currently inside the release ZIP and it did produce both successful_file_copies.csv and failed_file_copies.csv for me at the expected location inside the evidence directory so I'm really not sure why it's not being produced on your execution run.
Is the target device Windows 10? I'm trying to think of any other differences in execution that may be causing this discrepancy.
Yes the target is a Windows 10..
Just to make sure I am using the correct one can you share the link to the latest version you used ?
@snolroy https://github.com/joeavanzato/RetrievIR/releases/download/release/RetrievIR-1.0.rar
Once downloaded, unzip, open cmd window as Administrator, cd into the download directory, launch 'powershell' and invoke as '.\RetrievIR.ps1 -tags "sans_triage"', which is what you did before.
This should result in a directory named 'evidence' inside there - try doing this completely locally first - if this doesn't work then I will have to troubleshoot in more detail - if possible, I'd like to work with you/send you a modified script which will contain more verbose logging statements that you can then send to me for help identifying the issue.
I am doing some additional testing now.
@snolroy I just tested this again on two fresh devices - one Windows 10 and the other a Windows Server - I ran it both locally and remotely against both and saw the expected outputs inside the evidence directory as shown in my screenshot.
I'm having a difficult time troubleshooting this since I am not experiencing the error that you are - is it possible for you to send me the log file from "RetrievIRAudit.txt"? Should be inside your cwd when running the tool.
Let me try the latest one you sent and will get back to you if it still gives the same output. It seems I was using the old version.
I tried with the latest one you shared and it worked! Thank you very much..
One more question...
When I ran the parser I noticed the following:
2024/08/20 17:27:26 - [+] Downloading AmcacheParser.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/AmcacheParser.zip
2024/08/20 17:27:31 - [+] Downloading AppCompatCacheParser.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/AppCompatCacheParser.zip
2024/08/20 17:27:36 - [+] Downloading JLECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
2024/08/20 17:27:39 - [+] Downloading LECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/LECmd.zip
2024/08/20 17:27:42 - [+] Downloading PECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/PECmd.zip
2024/08/20 17:27:43 - [+] Downloading RBCmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/RBCmd.zip
2024/08/20 17:27:47 - [+] Downloading RecentFileCacheParser.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/RecentFileCacheParser.zip
2024/08/20 17:27:51 - [+] Downloading SBECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/SBECmd.zip
2024/08/20 17:27:54 - [+] Downloading SrumECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/SrumECmd.zip
2024/08/20 17:27:57 - [+] Downloading SumECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/SumECmd.zip
2024/08/20 17:28:00 - [+] Downloading WxTCmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/WxTCmd.zip
2024/08/20 17:28:03 - [+] Downloading EvtxECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/EvtxECmd.zip
2024/08/20 17:28:04 - [+] Downloading MFTECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/MFTECmd.zip
2024/08/20 17:28:10 - [+] Downloading SQLECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/SQLECmd.zip
2024/08/20 17:28:16 - [+] Downloading SQLECmd.exe from https://f001.backblazeb2.com/file/EricZimmermanTools/SQLECmd.zip
Since I already have those downloaded now, how can I stop the script from attempting to download these again next time I run this say on a remote system using the same folder I am using currently
Glad it is working for you now.
If you are executing from the same directory, ParseIR will check if the utility already exists and skip downloading if it does. If you want to specify a custom utility directory just use -utilities_dir to tell ParseIR where the third-party utilities are.
If you are using default settings/directory and not changing anything it should not re-download the binaries. Let me know if you are observing different behavior.