RECmd icon indicating copy to clipboard operation
RECmd copied to clipboard
verified publisher icon EricZimmerman

Handle case sensitivity on Linux filesystems

Open mischw opened this issue 1 year ago • 0 comments

rla version 2.0.0.0

Is your feature request related to a problem? Please describe. I am trying to clean a NTUSER.DAT file. It seems Windows somehow wrote the base file as NTUSER.DAT and the log files as ntuser.dat.LOG1 and ntuser.dat.LOG2 (lower case file names). When running rla on a Windows machine it still finds the associated log files. When running on a Linux machine it cannot find the log files and errors. I assume this is because on Linux file names are considered case sensitive. When manually renaming these files to upper case it works fine again.

Describe the solution you'd like I think rla should try to look for log files with lower case file names too when it is running on Linux.

Additional context Without renaming:

tree ../Administrator_Profile/
../Administrator_Profile/
├── NTUSER.DAT
├── ntuser.dat.LOG1
└── ntuser.dat.LOG2

1 directory, 3 files

dotnet rla.dll -f ../Administrator_Profile/NTUSER.DAT --out ../out/ --debug --trace

[14:28:44.012 INF] rla version 2.0.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces with double quotes

[14:28:44.029 INF] Command line: -f ../Administrator_Profile/NTUSER.DAT --out ../out/ --debug --trace


[14:28:44.030 INF] Processing hive ../Administrator_Profile/NTUSER.DAT
[14:28:44.038 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[14:28:44.039 INF]   Hive ../Administrator_Profile/NTUSER.DAT is dirty, but no logs were found in the same directory. --ca is true. Copying...
[...]

With renaming the log files:

tree ../Administrator_Profile/
../Administrator_Profile/
├── NTUSER.DAT
├── NTUSER.DAT.LOG1
└── NTUSER.DAT.LOG2

1 directory, 3 files

dotnet rla.dll -f ../Administrator_Profile/NTUSER.DAT --out ../out/ --debug --trace                                                      14:29:31

[14:29:44.396 INF] rla version 2.0.0.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces with double quotes

[14:29:44.413 INF] Command line: -f ../Administrator_Profile/NTUSER.DAT --out ../out/ --debug --trace


[14:29:44.413 INF] Processing hive ../Administrator_Profile/NTUSER.DAT
[14:29:44.422 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[14:29:44.426 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[14:29:44.433 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[14:29:44.434 WRN] Dropping ../Administrator_Profile/NTUSER.DAT.LOG2 because the log's header.PrimarySequenceNumber is less than the hive's header.SecondarySequenceNumber
[14:29:44.434 INF] Single log file available: ../Administrator_Profile/NTUSER.DAT.LOG1
[14:29:44.434 INF] Replaying log file: ../Administrator_Profile/NTUSER.DAT.LOG1
[14:29:44.436 INF] At least one transaction log was applied. Sequence numbers have been updated to 0x007E. New Checksum: 0xDF9139FB
[...]

mischw avatar Jul 27 '24 12:07 mischw