Implemented a fix for Windows.Timeline.Prefetch (Velocidex#2974)

scudette · web-flow · commit 3307c97cd5d4 · 2023-09-28T12:17:35.000+10:00
Fix: Velocidex#2969
diff --git a/accessors/file/accessor_darwin.go b/accessors/file/accessor_darwin.go
@@ -21,6 +21,7 @@
 package file
 
 import (
+	"syscall"
 	"time"
 )
 
diff --git a/artifacts/definitions/Windows/Timeline/Prefetch.yaml b/artifacts/definitions/Windows/Timeline/Prefetch.yaml
@@ -39,76 +39,68 @@ sources:
   - query: |
       LET hostname <= SELECT Fqdn FROM info()
 
-      -- Parse prefetch files and apply non time filters
-      LET pf = SELECT * FROM foreach(
-              row={
-                 SELECT * FROM glob(globs=prefetchGlobs)
-              },
-              query={
-                SELECT
-                    Executable,
-                    FileSize,
-                    Hash,
-                    Version,
-                    LastRunTimes,
-                    RunCount,
-                    // FilesAccessed,
-                    OSPath,
-                    Name AS PrefetchFileName,
-                    Btime as CreationTime,
-                    Mtime as ModificationTime
-                 FROM prefetch(filename=OSPath)
-                 WHERE
-                    if(condition=binaryRegex, then= Executable =~ binaryRegex,
-                    else=TRUE) AND
-                    if(condition=hashRegex, then= Hash =~ hashRegex,
-                    else=TRUE)
-              })
-      -- Flattern and filter on time.
-      LET executionTimes = SELECT * FROM flatten(
-                query = {
-                    SELECT *,
-                        OSPath as FilteredPath,
-                        LastRunTimes as ExecutionTime
-                    FROM pf
-                })
-            WHERE
-                if(condition=dateAfter, then=ExecutionTime > timestamp(string=dateAfter),
-                    else=TRUE) AND
-                if(condition=dateBefore, then=ExecutionTime < timestamp(string=dateBefore),
-                    else=TRUE)
-            GROUP BY ExecutionTime
-      LET creationTimes = SELECT * FROM flatten(
-                query = {
-                    SELECT *,
-                        OSPath as FilteredPath,
-                        CreationTime as ExecutionTime
-                    FROM pf
-                    WHERE RunCount > 8
-                })
-            WHERE
-                if(condition=dateAfter, then=ExecutionTime > timestamp(string=dateAfter),
-                    else=TRUE) AND
-                if(condition=dateBefore, then=ExecutionTime < timestamp(string=dateBefore),
-                        else=TRUE)
-            GROUP BY ExecutionTime
-
-      -- Output results ready for timeline
-      LET flatOutput = SELECT
-                    ExecutionTime as event_time,
-                    hostname.Fqdn[0] as hostname,
-                    "Prefetch" as parser,
-                    "Evidence of Execution: " + Executable + format(format=" Prefetch run count %v", args=RunCount) as message,
-                    FilteredPath as source,
-                    Executable as file_name,
-                    CreationTime as prefetch_ctime,
-                    ModificationTime as prefetch_mtime,
-                    FileSize as prefetch_size,
-                    Hash as prefetch_hash,
-                    Version as prefetch_version,
-                    PrefetchFileName as prefetch_file,
-                    RunCount as prefetch_count
-            FROM chain(
-                    a = { SELECT * FROM executionTimes },
-                    b = { SELECT * FROM creationTimes  })
-      SELECT * FROM flatOutput
+      SELECT  LastRunTimes as event_time,
+              hostname.Fqdn[0] as hostname,
+              "Prefetch" as parser,
+              message,
+              OSPath as source,
+              Executable as file_name,
+              CreationTime as prefetch_ctime,
+              ModificationTime as prefetch_mtime,
+              FileSize as prefetch_size,
+              Hash as prefetch_hash,
+              Version as prefetch_version,
+              PrefetchFileName as prefetch_file,
+              RunCount as prefetch_count
+      FROM foreach(
+      row={
+        SELECT *
+        FROM Artifact.Windows.Forensics.Prefetch(
+          prefetchGlobs=prefetchGlobs,
+          dateAfter=dateAfter,
+          dateBefore=dateBefore,
+          binaryRegex=binaryRegex,
+          hashRegex=hashRegex)
+      },
+      query={
+        SELECT *
+        FROM chain(a1={
+           SELECT *
+           FROM flatten(query={
+            SELECT Executable,
+                   FileSize,
+                   Hash,
+                   Version,
+                   LastRunTimes,
+                   "Evidence of Execution: " + Executable + format(
+                      format=" Prefetch run count %v", args=RunCount) as message,
+                   RunCount,
+                   OSPath,
+                   PrefetchFileName,
+                   CreationTime,
+                   ModificationTime,
+                   Binary
+            FROM scope()
+          })
+        }, b1={
+            -- One more row for creation time
+            SELECT Executable,
+                   FileSize,
+                   Hash,
+                   Version,
+                   CreationTime AS LastRunTimes,
+                   "Evidence of Execution (Btime): " + Executable + format(
+                      format=" Prefetch run count %v", args=RunCount) as message,
+                   RunCount,
+                   OSPath,
+                   PrefetchFileName,
+                   CreationTime,
+                   ModificationTime,
+                   Binary
+            FROM scope()
+        })
+        -- This group by applies on only a single prefetch file to
+        -- remove duplication with CreationTime
+        GROUP BY LastRunTimes
+      })
+      ORDER BY event_time
diff --git a/artifacts/testdata/server/testcases/prefetch.in.yaml b/artifacts/testdata/server/testcases/prefetch.in.yaml
@@ -5,3 +5,19 @@ Queries:
     FROM Artifact.Windows.Forensics.Prefetch(
       prefetchGlobs=srcDir+"/artifacts/testdata/files/*.pf",
       IncludeFilesAccessed=TRUE)
+
+  # Exclude the Btime added rows
+  - SELECT *, "hostname" AS hostname,
+       "prefetch_ctime" AS prefetch_ctime,
+       "prefetch_mtime" AS prefetch_mtime,
+       basename(path=source) AS source
+    FROM Artifact.Windows.Timeline.Prefetch(
+       prefetchGlobs=srcDir+"/artifacts/testdata/files/*.pf")
+    WHERE NOT message =~ "Btime"
+
+  # Make sure there is a single Btime row
+  - SELECT count()
+    FROM Artifact.Windows.Timeline.Prefetch(
+       prefetchGlobs=srcDir+"/artifacts/testdata/files/*.pf")
+    WHERE message =~ "Btime"
+    GROUP BY 1
diff --git a/artifacts/testdata/server/testcases/prefetch.out.yaml b/artifacts/testdata/server/testcases/prefetch.out.yaml
@@ -387,4 +387,137 @@ SELECT _SCCAHeader, Executable, FileSize, Hash, Version, LastRunTimes, RunCount,
    }
   ]
  }
+]SELECT *, "hostname" AS hostname, "prefetch_ctime" AS prefetch_ctime, "prefetch_mtime" AS prefetch_mtime, basename(path=source) AS source FROM Artifact.Windows.Timeline.Prefetch( prefetchGlobs=srcDir+"/artifacts/testdata/files/*.pf") WHERE NOT message =~ "Btime"[
+ {
+  "event_time": "2022-02-18T01:40:35Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-18T05:18:52Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-18T05:41:13Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-18T05:43:21Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-18T06:55:37Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-21T00:12:14Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-21T00:45:24Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ },
+ {
+  "event_time": "2022-02-21T01:03:45Z",
+  "parser": "Prefetch",
+  "message": "Evidence of Execution: VELOCIRAPTOR.EXE Prefetch run count 30",
+  "file_name": "VELOCIRAPTOR.EXE",
+  "prefetch_size": 32730,
+  "prefetch_hash": "0XDB95245D",
+  "prefetch_version": "Win10 (30)",
+  "prefetch_file": "VELOCIRAPTOR.EXE-DB95245D.pf",
+  "prefetch_count": 30,
+  "_Source": "Windows.Timeline.Prefetch",
+  "hostname": "hostname",
+  "prefetch_ctime": "prefetch_ctime",
+  "prefetch_mtime": "prefetch_mtime",
+  "source": "VELOCIRAPTOR.EXE-DB95245D.pf"
+ }
+]SELECT count() FROM Artifact.Windows.Timeline.Prefetch( prefetchGlobs=srcDir+"/artifacts/testdata/files/*.pf") WHERE message =~ "Btime" GROUP BY 1[
+ {
+  "count()": 1
+ }
 ]

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@`
`21`	`21`	`package file`
`22`	`22`
`23`	`23`	`import (`
	`24`	`+ "syscall"`
`24`	`25`	`"time"`
`25`	`26`	`)`
`26`	`27`