Empty username causes TypeError: unsupported format string passed to NoneType.format in debug log statement

Question

Empty username causes TypeError: unsupported format string passed to NoneType.format in debug log statement

Melantrix opened this issue 9 months ago · 5 comments

Describe the problem:

There is an logger.debug command within the function AddUserAccount() in the file https://github.com/log2timeline/plaso/blob/main/plaso/preprocessors/mediator.py. This logger.debug command tries to print user_account.username. However, when the username is empty (e.g. when it's a Entra ID user and only a SID is known on the local system) the preprocessing fails, because the logger receives a TypeError because it's None.

There are a few checks in the class WindowsUserAccountsPlugin() in the file https://github.com/log2timeline/plaso/blob/main/plaso/preprocessors/windows.py which calls AddUserAccount(), but there aren't any in AddUserAccount().

It's fixable by commenting out the logger.debug command, however i think it would be better to add some checks/safeguards in the function.

To Reproduce:

The version of Plaso you used: 20240308

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):
In docker on Ubuntu 22.04.4 LTS

Steps to reproduce the behavior including command line and arguments and output:

log2timeline.py --workers 30 --storage_file timeline.plaso diskimage.img

Please provide the source data you used when you experienced the problem. For publicly available data please provide a URL or path of the source data.
this is not possible because of an active investigation

The method you used to install Plaso:
I pulled the docker image and ran the command within the docker with
docker run -t -i --entrypoint=/bin/bash -v /home/investigation:/data log2timeline/plaso

Expected behavior:
I would expect log2timeline to continue instead of hard failing.

Debug output/tracebacks:

You can run log2timeline tools with "-d" to generate debug output, and include anything relevant. Also see: [Producing debug logs][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html#producing-debug-logs]

Processing started.
Traceback (most recent call last):
  File "/usr/bin/log2timeline.py", line 33, in <module>
    sys.exit(load_entry_point('plaso==20240308', 'console_scripts', 'log2timeline')())
  File "/usr/lib/python3/dist-packages/plaso/scripts/log2timeline.py", line 81, in Main
    tool.ExtractEventsFromSources()
  File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 754, in ExtractEventsFromSources
    processing_status = self._ProcessSource(session, storage_writer)
  File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 446, in _ProcessSource
    system_configurations = extraction_engine.PreprocessSource(
  File "/usr/lib/python3/dist-packages/plaso/engine/engine.py", line 345, in PreprocessSource
    preprocess_manager.PreprocessPluginsManager.RunPlugins(
  File "/usr/lib/python3/dist-packages/plaso/preprocessors/manager.py", line 351, in RunPlugins
    cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher)
  File "/usr/lib/python3/dist-packages/plaso/preprocessors/manager.py", line 224, in CollectFromWindowsRegistry
    preprocess_plugin.Collect(mediator, artifact_definition, searcher)
  File "/usr/lib/python3/dist-packages/plaso/preprocessors/interface.py", line 264, in Collect
    self._ParseKey(mediator, registry_key, value_name)
  File "/usr/lib/python3/dist-packages/plaso/preprocessors/windows.py", line 916, in _ParseKey
    mediator.AddUserAccount(user_account)
  File "/usr/lib/python3/dist-packages/plaso/preprocessors/mediator.py", line 115, in AddUserAccount
    logger.debug(f'adding user account: {user_account.username:s}')
TypeError: unsupported format string passed to NoneType.__format__

Please DO NOT provide screenshots, they can be hard to read.

For more information see the [troubleshooting guide][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html]

Additional context

Any other context about the problem here.

Answer 1 · 2024-06-28T03:44:17.000Z

@Melantrix any indication to why the username is None?

Answer 2 · 2024-07-01T09:15:47.000Z

@joachimmetz I think it's because it's an Azure Entra ID registrated device, which means the user information is stored in Entra ID. Apparently the registry key's only contain the SID's, and username is empty.

Answer 3 · 2024-07-10T04:07:58.000Z

The username is derived from the ProfileImagePath (see: https://github.com/log2timeline/plaso/blob/main/plaso/preprocessors/windows.py#L905)

that would imply this "Azure Entra" useraccount also has no profile directory? Is this some kind of non-interactive useraccount?

Answer 4 · 2024-07-10T05:50:18.000Z

If you can give #4892 a try

Answer 5 · 2024-07-10T15:24:47.000Z

@Melantrix could you pass me the value of profile path for this user, this might be something with the username extraction not supporting the path value?