Zach Mathis (田中ザック)

@mischw To work around this, you can remove duplicates with the `json-timeline` command, output to JSONL and then use the `stack-logons` in Takajo to get the same information. (https://github.com/Yamato-Security/takajo?tab=readme-ov-file#stack-logons-command) Right...

@mischw We updated the `stack-logons` command so if you compile takajo with the main branch, you can get failed logon info as well.

@hitenkoku In order to sort without using a lot of memory, it might be good to import the CSV data into a temporary sqlite database, sort the sqlite database and...

So that an investigator can collect many CSV files from endpoints with velociraptor we should also support directory input. `-f, --file Input file` and `-d, --directory Input directory`

Yes, this functionality would only be possible if the user specifies `-l, --live-analysis` on a Windows machine with local Administrator privileges. Here is a link to some C++ source code...

@fukusuket I think I found a better way to do this than COM. We can query the information through WMI! All we need to do is get the VolumeName information....

@fukusuket Great! Thanks! Here is a reference that may help you: https://github.com/trickster0/OffensiveRust/blob/master/wmi_execute/src/main.rs

> * `-l, --live-analysis` option is required Yes, this is only possible with live analysis so we should require this. > * If `--scan-vss-backups` specified, then scan volume shadow **in...

@fukusuket Ah, that is my mistake. I was using the original volume ID of the C: thinking it was the snapshot. It doesn't work for me directly on the command...

@fukusuket Humm.. if you copy the file to a different directory and then scan it, does it work?