Merge branch 'main' into release/10.2.x

CHANGELOG.md

@@ -1,5 +1,20 @@
 # ChangeLog
 
+## [10.2.2] - 2023-09-20
+### Added
+- Allow user to specify any 'key' from 'ORC_Offline' special command set
+- NTFSInfo: add columns to volstats.csv for output file name
+- WolfLauncher: remove working directory on exit when it was created and empty
+
+### Changed
+- Yara: update to 4.3.2
+
+### Fixed
+- Yara: possible execution loop issue depending on the rule
+- FastFind: in the XML results file the 'Type' values for a registry match was always set to 'Type'
+- FastFind: XML output style
+- NTFSInfo/FATInfo: unexpected FirstBytes column zero padding
+
 ## [10.2.1] - 2023-06-20
 ### Changed
 - Configuration: accept wildcard as exclusion path

src/OrcCommand/Command/FastFind/FastFind_Run.cpp

@@ -249,7 +249,10 @@ HRESULT Main::RunFileSystem()
     HRESULT hr = E_FAIL;
 
     if (pStructuredOutput)
+    {
         pStructuredOutput->BeginCollection(L"filesystem");
+        pStructuredOutput->BeginElement(nullptr);
+    }
 
     hr = config.FileSystem.Files.Find(
         config.FileSystem.Locations,
@@ -267,7 +270,11 @@ HRESULT Main::RunFileSystem()
             if (pFileSystemTableOutput)
                 aMatch->Write(*pFileSystemTableOutput);
             if (pStructuredOutput)
+            {
+                pStructuredOutput->BeginCollection(L"filefind_match");
                 aMatch->Write(*pStructuredOutput, nullptr);
+                pStructuredOutput->EndCollection(L"filefind_match");
+            }
 
             return;
         },
@@ -281,7 +288,10 @@ HRESULT Main::RunFileSystem()
     }
 
     if (pStructuredOutput)
+    {
+        pStructuredOutput->EndElement(nullptr);
         pStructuredOutput->EndCollection(L"filesystem");
+    }
 
     m_console.PrintNewLine();
     ::PrintStatistics(m_console.OutputTree(), config.FileSystem.Files.AllSearchTerms());
@@ -311,7 +321,6 @@ HRESULT Main::RunRegistry()
         },
         false,
         ResurrectRecordsMode::kNo);
-
     if (FAILED(hr))
     {
         Log::Error(L"Failed to parse location while searching for registry hives");
@@ -320,6 +329,7 @@ HRESULT Main::RunRegistry()
     if (pStructuredOutput)
     {
         pStructuredOutput->BeginCollection(L"registry");
+        pStructuredOutput->BeginElement(nullptr);
     }
 
     for (const auto& aFileMatch : config.Registry.Files.Matches())
@@ -328,6 +338,7 @@ HRESULT Main::RunRegistry()
 
         if (pStructuredOutput)
         {
+            pStructuredOutput->BeginCollection(L"hive");
             pStructuredOutput->BeginElement(nullptr);
             pStructuredOutput->WriteNamed(L"volume_id", aFileMatch->VolumeReader->VolumeSerialNumber(), true);
 
@@ -385,11 +396,15 @@ HRESULT Main::RunRegistry()
         }
 
         if (pStructuredOutput)
+        {
             pStructuredOutput->EndElement(nullptr);
+            pStructuredOutput->EndCollection(L"hive");
+        }
     }
 
     if (pStructuredOutput)
     {
+        pStructuredOutput->EndElement(nullptr);
         pStructuredOutput->EndCollection(L"registry");
     }
 
@@ -403,10 +418,11 @@ Main::LogObjectMatch(const ObjectSpec::ObjectItem& spec, const ObjectDirectory::
 
     if (pStructuredOutput)
     {
-        pStructuredOutput->BeginElement(szElement);
+        pStructuredOutput->BeginElement(L"object_match");
+
         pStructuredOutput->WriteNamed(L"description", spec.Description().c_str());
         obj.Write(*pStructuredOutput);
-        pStructuredOutput->EndElement(szElement);
+        pStructuredOutput->EndElement(L"object_match");
     }
     if (pObjectTableOutput)
     {
@@ -423,10 +439,11 @@ Main::LogObjectMatch(const ObjectSpec::ObjectItem& spec, const FileDirectory::Fi
 
     if (pStructuredOutput)
     {
-        pStructuredOutput->BeginElement(szElement);
+        pStructuredOutput->BeginElement(L"object_match");
+
         pStructuredOutput->WriteNamed(L"description", spec.Description().c_str());
         file.Write(*pStructuredOutput);
-        pStructuredOutput->EndElement(szElement);
+        pStructuredOutput->EndElement(L"object_match");
     }
 
     if (pObjectTableOutput)
@@ -442,7 +459,10 @@ HRESULT Main::RunObject()
     HRESULT hr = E_FAIL;
 
     if (pStructuredOutput)
-        pStructuredOutput->BeginCollection(L"object_directory");
+    {
+        pStructuredOutput->BeginCollection(L"object");
+        pStructuredOutput->BeginElement(nullptr);
+    }
 
     for (const auto& objdir : ObjectDirs)
     {
@@ -600,7 +620,10 @@ HRESULT Main::RunObject()
     }
 
     if (pStructuredOutput)
-        pStructuredOutput->EndCollection(L"object_directory");
+    {
+        pStructuredOutput->EndElement(nullptr);
+        pStructuredOutput->EndCollection(L"object");
+    }
 
     return S_OK;
 }

src/OrcCommand/Command/FatInfo/FatInfo_Run.cpp

@@ -62,7 +62,7 @@ HRESULT Main::Run()
             return loc->GetParse() && (loc->IsFAT12() || loc->IsFAT16() || loc->IsFAT32());
         });
 
-    hr = m_FileInfoOutput.GetWriters(m_Config.output, L"FatInfo", locations);
+    hr = m_FileInfoOutput.GetWriters(m_Config.output, L"FatInfo", locations, OutputInfo::DataType::kFatInfo);
     if (FAILED(hr))
     {
         Log::Error(L"Failed to create file information writers [{}]", SystemError(hr));
@@ -91,7 +91,8 @@ HRESULT Main::Run()
                         fileEntry,
                         m_CodeVerifier);
 
-                    HRESULT hr = fi.WriteFileInformation(FatFileInfo::g_FatColumnNames, *dir.second, m_Config.Filters);
+                    HRESULT hr =
+                        fi.WriteFileInformation(FatFileInfo::g_FatColumnNames, *dir.second.Writer(), m_Config.Filters);
                     if (FAILED(hr))
                     {
                         Log::Error(L"Could not WriteFileInformation for '{}' [{}]", szFullName, SystemError(hr));

src/OrcCommand/Command/NTFSInfo/NTFSInfo.h

@@ -48,6 +48,15 @@ enum KindOfTime : DWORD
 class ORCUTILS_API Main : public UtilitiesMain
 {
 public:
+    struct OutputPaths
+    {
+        std::optional<std::wstring> fileInfo;
+        std::optional<std::wstring> i30Info;
+        std::optional<std::wstring> attrInfo;
+        std::optional<std::wstring> ntfsTimeline;
+        std::optional<std::wstring> secDescr;
+    };
+
     class Configuration : public UtilitiesMain::Configuration
     {
     public:
@@ -123,6 +132,16 @@ class ORCUTILS_API Main : public UtilitiesMain
 
     HRESULT Prepare();
     HRESULT GetWriters(std::vector<std::shared_ptr<Location>>& locs);
+
+    void GetOutputPathsByLocation(
+        const std::vector<std::shared_ptr<Location>>& locations,
+        std::unordered_map<std::wstring, OutputPaths>& outputPathsByLocation) const;
+
+    HRESULT WriteVolStats(
+        const OutputSpec& volStatsSpec,
+        const std::vector<std::shared_ptr<Location>>& locations,
+        std::shared_ptr<TableOutput::IWriter>& newWriter);
+
     HRESULT WriteTimeLineEntry(
         ITableOutput& pTimelineOutput,
         const std::shared_ptr<VolumeReader>& volreader,

src/OrcCommand/Command/NTFSInfo/NTFSInfoSqlSchema.xml

@@ -203,6 +203,11 @@
         <bool name="Parse" />
         <utf16  name="MountPoint" maxlen="256" />
         <utf16  name="ShadowCopyId" maxlen="256" />
+        <utf16  name="FileInfo" maxlen="256" />
+        <utf16  name="i30Info" maxlen="256" />
+        <utf16  name="AttrInfo" maxlen="256" />
+        <utf16  name="Timeline" maxlen="256" />
+        <utf16  name="SecDescr" maxlen="256" />
     </table>
 </sqlschema>