GetSamples Timeline output location

[sirbrowser]

Hello,

While testing GetSamples command, I try to output a timeline via XML configuration file:

<?xml version="1.0"?>
<GetSamples>
    <Samples MaxTotalBytes="20GB" MaxSampleCount="200000" MaxPerSampleBytes="1GB" />
    <timeline encoding="utf8">GetSamples_timeline.csv</timeline>
    <Autoruns></Autoruns>
</GetSamples>

The timeline is well executed but the output location of the csv file associated is at the same level as the archive generated by DFIR ORC. :

The csv output is not included within the p7b archive:

Is there a way to have the timeline inside the 7z where output files of GetSamples command are located?

Thanks.

[jeanga]

Hi sirbrowser,

Can you share the xml element of your WolfLauncher configuration for this command?
If (and how) the output of a command is added to the output archive is usually described in this xml config.

Thank you for trying ou dfir-orc.
Jean

[sirbrowser]

Hello,

Here is the xml element related to the GetSamples command :

<command keyword="GetSamples">
            <execute name="DFIR-Orc.exe" run="self:#GetSamples"/>
            <argument>/config=res:#GetSamples_config.xml</argument>
            <output name="GetSamples.7z" source="File" argument="/out={FileName}"/>
            <output name="GetSamples.log" source="StdOutErr"/>
</command>

Thanks

[fabienfl-orc]

GetSamples run GetThis which output GetSamples.7z. Both GetSamples_timeline.csv and GetSamples_sampleinfo.csv are produced by GetSamples. Having everything in one archive would require a significant refactor or rebuilding the GetSamples.7z archive.