WithSecureLabs / chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

--json not outputting correctly with search

CyberAustin opened this issue · comments

The JSON output for "search" puts a [] around the JSON data and introduces other formatting errors.

From Firefox: SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data. Even if I remove the []'s, I still get that.

Get-Content -Raw .\output.json | ConvertFrom-Json returns blank data as well.

This is chainsaw version 1.1.5 on Windows 10.

Hi @CyberAustin,

I am unable to replicate this without more information, if you are able to provide it that would be great. With the example test samples search is correctly outputting JSON, an example command is this:

./chainsaw search evtx_attack_samples -i -s bypass -j

Yeah, I'm trying to find some sample data that I can duplicate it on that I can also release. I can summarize a bit though. First, the JSON is surrounded by []. Second, it almost looks like some ASCII characters were replaced by similar looking Unicode characters. I'll keep trying to reproduce though.

Please, that would be a great help. The [] is expected because it is returning an array of results even if there is only one hit.

It probably is due to some odd edge case in an event log you have so tracking down the issue would be great if you can manage to isolate an example.

Right have finally worked this one out, it looks like Powershell is messing with the encoding. The current work around is to use --output rather than file redirection. Once we work out what Powershell is doing then we might be able to fix it.