ntdissector icon indicating copy to clipboard operation
ntdissector copied to clipboard
verified publisher icon synacktiv

No column with this name in table link_table: link_deactivetime

Open TheraNinjaCat opened this issue 1 year ago • 0 comments

When running the tool with the example NTDS.dit file that has been uploaded here: https://blog.didierstevens.com/2016/07/12/practice-ntds-dit-file-part-1/ the following error occurs:

[2024-10-10 11:06:36] [*] Building the schemas, please wait...
Traceback (most recent call last):
  File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/table.py", line 106, in column
    return self._column_name_map[name]
           ~~~~~~~~~~~~~~~~~~~~~^^^^^^
KeyError: 'link_deactivetime'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/kali/venv/bin/ntdissector", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/__main__.py", line 80, in main
    ntdis = NTDS(options.ntds, options)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/ntds/ntds.py", line 115, in __init__
    self.__buildSchemas()
  File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/ntds/ntds.py", line 274, in __buildSchemas
    self.links["to"][_b_DNT].append((record.get("link_DNT"), record.get("link_base"), record.get("link_deltime"), record.get("link_deactivetime"), record.get("link_data")))
                                                                                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/record.py", line 50, in get
    column = self._table.column(attr)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/table.py", line 108, in column
    raise KeyError(f"No column with this name in table {self.name}: {name}")
KeyError: 'No column with this name in table link_table: link_deactivetime'

I made a simple workaround by adding a try except block around the record.get line and the rest of the program extracted correctly, so potentially the best way forward would be making the link_deactivetime attribute optional. I am not familiar with the specifics of different versions of windows, but I speculate that this may be due to the fact that this practice file was created with Windows Server 2003, which may not have used the link_deactivetime column.

TheraNinjaCat avatar Oct 09 '24 22:10 TheraNinjaCat