NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes both msource AND local source data?

[secure-cake]

KAPE Version 1.3.0.2

I am collecting artifacts via Velociraptor Offline Collector, staging and processing them via KAPE on an "analysis" workstation. When I populate the artifacts on the C: volume (e.g. c:\cases\test-case\triage_data), then run the NirSoft BrowsingHistoryView or BrowserDownloadsView modules, output includes both the data in the mdest directory (my staged triage data) and data from the live, "analysis" workstation where I executed KAPE.

IMPORTANT NOTE: If I stage my triage collection on an alternate volume on my "analysis" workstation, eg d:\cases\test-case, and run same command as below, just changing the path to reflect the d: drive, results are expected, only including msource data.

Example Command:
.\kape.exe --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui

"Browser Profile Path" results include both the mdest (c:\cases\test-case\triage_data\offline....) and local "c:\users\user\appdata\local\microsoft\edge..." paths.

Console Log for BrowsingHistoryView example:

[2024-01-04 10:03:38.4622603 | INF] KAPE directory: C:\tools\KAPE
[2024-01-04 10:03:38.4790135 | INF] Command line:   --msource C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\ --mdest C:\cases\test-case\kape_nirsoft_output --module NirSoft_BrowsingHistoryView --mef csv --gui 
[2024-01-04 10:03:38.4956785 | INF] System info: Machine name: WINDEV2311EVAL, 64-bit: true, User: User OS: "Windows10" (10.0.22621)
[2024-01-04 10:03:40.9384267 | INF] Using Module operations
[2024-01-04 10:03:40.9841873 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 10:03:40.9864295 | INF] Discovered 1 processor to run
[2024-01-04 10:03:40.9864295 | INF] Executing modules with file masks...
[2024-01-04 10:03:41.0026688 | INF] Executing remaining modules...
[2024-01-04 10:03:41.0026688 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder C:\cases\test-case\triage_data\offline-testCollection-STA1_localdomain-2023-08-02T08_49_13-07_00\uploads\auto\C%3A\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma C:\cases\test-case\kape_nirsoft_output\WebBrowsers\BrowsingHistory.csv
[2024-01-04 10:03:41.0346128 | WRN]     Output file updated to C:\cases\test-case\kape_nirsoft_output\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 10:03:42.9003604 | INF] Executed 1 processor in 1.9440 seconds
[2024-01-04 10:03:42.9160727 | INF] Total execution time: 1.9662 seconds

[AndrewRathbun]

Very weird, are you using the latest version of the NirSoft binaries? I just did a test on my own system and it did not have any live data processed in the CSV.

[2024-01-04 16:15:40.2657500 | INF] KAPE directory: E:\KAPE
[2024-01-04 16:15:40.2732603 | INF] Command line:   --msource E:\ToolOutput\browsingHistoryTest\tout\C --mdest E:\ToolOutput\browsingHistoryTest\mout --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui 
[2024-01-04 16:15:40.2747651 | INF] System info: Machine name: ANDREW-PERSONAL, 64-bit: true, User: Andrew Rathbun OS: "Windows10" (10.0.22635)
[2024-01-04 16:15:40.4055802 | DBG]   Validating configuration files
[2024-01-04 16:15:41.0894534 | DBG] 309 targets and 446 modules validated successfully
[2024-01-04 16:15:41.0904550 | INF] Using Module operations
[2024-01-04 16:15:41.0959451 | INF]   Module NirSoft_BrowsingHistoryView: Found 2 processors
[2024-01-04 16:15:41.0984553 | DBG]   NirSoft_BrowsingHistoryView (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1004567 | INF]     Found processor Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1035197 | INF]   Module NirSoft_WebBrowserDownloads: Found 1 processor
[2024-01-04 16:15:41.1035197 | DBG]   NirSoft_WebBrowserDownloads (v1.1): Determining correct processor based export type csv...
[2024-01-04 16:15:41.1045250 | INF]     Found processor Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False!
[2024-01-04 16:15:41.1055248 | INF] Discovered 2 processors to run
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_BrowsingHistoryView, Processor: Executable: browsinghistoryview.exe, Cmd line: /HistorySource 3 /HistorySourceFolder %sourceDirectory%\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma %destinationDirectory%\BrowsingHistory.csv, Export: csv, Append: False  , Category: WebBrowsers , Export file: NirSoftBrowsingHistoryViewConsoleOutput.txt
[2024-01-04 16:15:41.1065244 | DBG] Module name: NirSoft_WebBrowserDownloads, Processor: Executable: BrowserDownloadsView.exe, Cmd line: /DownloadsSource 3 /SourceFolder %sourceDirectory%\Users /ShowTimeInGMT /scomma %destinationDirectory%\BrowserDownloadsView.csv, Export: csv, Append: False  , Category: WebBrowsers 
[2024-01-04 16:15:41.1075232 | INF] Executing modules with file masks...
[2024-01-04 16:15:41.1085256 | INF] Executing remaining modules...
[2024-01-04 16:15:41.1095250 | INF]   Running browsinghistoryview.exe: /HistorySource 3 /HistorySourceFolder E:\ToolOutput\browsingHistoryTest\tout\C\Users /VisitTimeFilterType 1 /ShowTimeInGMT 1 /scomma E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\BrowsingHistory.csv
[2024-01-04 16:15:41.1259448 | WRN]     Output file updated to E:\ToolOutput\browsingHistoryTest\mout\WebBrowsers\NirSoftBrowsingHistoryViewConsoleOutput_1.txt
[2024-01-04 16:15:44.4232409 | WRN]   ** Cannot find executable BrowserDownloadsView.exe in directory E:\KAPE\Modules\NirSoft_WebBrowserDownloads or E:\KAPE\Modules\bin. Aborting execution and skipping any further modules using this executable
[2024-01-04 16:15:44.4262404 | INF] Executed 2 processors in 3.3334 seconds
[2024-01-04 16:15:44.4292400 | INF] Total execution time: 3.3391 seconds

Granted, I didn't test the BrowserDownloadsView portion, but I can if needed. Do we know if the screenshot you included is for BrowsingHistoryView or BrowserDownloadsView output?

[secure-cake]

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

[EricZimmerman]

nirsoft is probably following a symlink blindly Eric Zimmerman 501-313-3778

…

------ Original Message ------ From "Secure Cake" ***@***.***> To "EricZimmerman/KapeFiles" ***@***.***> Cc "Subscribed" ***@***.***> Date 1/4/2024 4:38:05 PM Subject Re: [EricZimmerman/KapeFiles] NirSoft BrowsingHistoryView and BrowserDownloadsView module output includes bouth msource AND local source data? (Issue #898)

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included). I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output. — Reply to this email directly, view it on GitHub <#898 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABARKJXHQUNDLCVGZU6U3HTYM4OL3AVCNFSM6AAAAABBNKTJO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNZXG44TIOBSG4>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[AndrewRathbun]

Maybe it's just a perfect storm of "weirdness!" Is "E:" your OS volume? This only occurs for me when my triage-data (msource) is located on the OS Volume (C: in my example). If I stage my triage data on a different volume , the NirSoft output is as expected (no local data included).

I am using BrowserDownloadsView version 1.4.4.1 and BrowsingHistoryView version 2.5.5.29. The screenshot is from BrowserDownloadsView, but the "history file" column looks pretty much the same for the BrowsingHistoryView output.

E is not my OS drive but that's good context to have. I can test that out next time I'm back at the keyboard. Definitely not a KAPE issue though but maybe there's something we can add in the Module to inform others about this.

[secure-cake]

Thank you, Andrew and Eric! As always, appreciate the prompt responses.

[AndrewRathbun]

@secure-cake I just tried the following:

.\kape.exe --msource C:\temp\browsingHistoryTest\tout\C --mdest C:\temp\browsingHistoryTest\mout --mflush --module NirSoft_BrowsingHistoryView,NirSoft_WebBrowserDownloads --debug --gui

and in the Source File column(s) for BrowsingHistoryView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default\History
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

For the BrowserDownloadsView output, I have the following:

C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Google\Chrome\User Data\Default
C:\temp\browsingHistoryTest\tout\C\Users\Andrew Rathbun\AppData\Local\Microsoft\Edge\User Data\Default

Nothing from my live system so I'm not sure what's going on in your scenario...

[secure-cake]

Howdy, @AndrewRathbun and thank you for testing! So...if I stage triage data on the OS volume and their is a user profile on the local system named "User" (note that I don't have to be logged in as "User," the profile just has to exist), I can recreate the above weirdness (inclusion of local data). If I rename the "Users\User" profile folder to "Users\bob" for example, output is as expected.

Bottom line, I would never do either (stage data on OS volume or have a user account named "User") in production, but did for testing with a Win 11 Dev VM. I confess I panicked a bit that perhaps I'd polluted actual case data on a previous case based on this odd behavior, but seems like a VERY specific set of unusual circumstances.

Sorry for the chasing of wild geese!