reece394
reece394
I have the same issue when collecting from a live system using KAPE with Server 2022. I noticed when I shut down my VM and copied the files from the...
``` C:\Users\TestUser\Documents\sidr\target\debug>sidr -f csv C:\\Server20222 Processing ESE db: C:\\Server20222\C\programdata\microsoft\search\data\applications\windows\Windows.edb thread 'main' panicked at src\ese.rs:168:73: called `Result::unwrap()` on an `Err` value: SimpleError { err: "wrong checksum: 1551933666, calculated 1089402065" } stack...
I did some more experimenting with this and in this case the database having the state Dirty Shutdown causes this. For anybody else having this error to fix this you...
I tried to reproduce this using the same rules but only switching the Chainsaw version on Windows between v2.8.1 and v2.9.0 but I was unable to. They produced identical results...
Here is a series of logs with the --debug and --trace flags running. Seems like when the history file is not renamed or put in the rule it doesn't even...
This is great work! Can see useful bits even in that Photos screenshot. IsFirstRun and FirstUseTime if they work the way I think they do would be good for tracking...
@ogmini I have compiled this to test it out and found some more useful bits like in the Camera app it stores AppLaunchesWithSuccessfulCaptures as well as Camera devices inside the...
@ogmini Did you get it sorted okay? WindowsCommunicationApps appears to be linked to the Mail app/ Outlook UWP app built into Windows 11. Attached below is the Values section for...
> My earlier datetime theory doesn't make sense now that I'm looking at it. Unless they're applying some really wacky offset? Or this is being stored as a Win32 FILETIME....
@ogmini I would be leaning more towards giving the value and then having the analyst parse it for accuracy. I know that is less convenient but seems like the most...