Transactions were not successfully recovered for some hives

Question

Transactions were not successfully recovered for some hives

Silv3rHorn opened this issue 4 years ago · comments

Hi,

Pls see following for an example of a hive whose transactions were not successfully recovered:

registry-transaction-logs Amcache.hve -p Amcache.hve.LOG1 -s Amcache.hve.LOG2 -o Amcache.hve.regipy
[2020-09-10 02:41:17.219000] INFO: regipy.cli: Processing hive Amcache.hve with transaction log Amcache.hve.LOG1
[2020-09-10 02:41:17.219997] INFO: regipy.cli: Processing hive Amcache.hve with secondary transaction log Amcache.hve.LOG1
[2020-09-10 02:41:17.220994] INFO: regipy.recovery: Log Size: 196608
[2020-09-10 02:41:17.220994] INFO: regipy.recovery: Log Size: 196608
[2020-09-10 02:41:17.221991] INFO: regipy.recovery: Parsing hvle block at 512
[2020-09-10 02:41:17.221991] INFO: regipy.recovery: Currently at start of dirty pages: 616
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: seq number: 313
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: dirty pages: 8
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: Restored 4096 bytes to offset 4096 from offset 616
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: Restored 8192 bytes to offset 339968 from offset 4712
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: Restored 8192 bytes to offset 364544 from offset 12904
[2020-09-10 02:41:17.222989] INFO: regipy.recovery: Restored 8192 bytes to offset 380928 from offset 21096
[2020-09-10 02:41:17.223987] INFO: regipy.recovery: Restored 4096 bytes to offset 946176 from offset 29288
[2020-09-10 02:41:17.223987] INFO: regipy.recovery: Restored 4096 bytes to offset 970752 from offset 33384
[2020-09-10 02:41:17.223987] INFO: regipy.recovery: Restored 4096 bytes to offset 1056768 from offset 37480
[2020-09-10 02:41:17.223987] INFO: regipy.recovery: Restored 4096 bytes to offset 1097728 from offset 41576
[2020-09-10 02:41:17.223987] INFO: regipy.recovery: Parsing hvle block at 49152
[2020-09-10 02:41:17.224983] INFO: regipy.recovery: Currently at start of dirty pages: 49336
[2020-09-10 02:41:17.224983] INFO: regipy.recovery: seq number: 314
[2020-09-10 02:41:17.224983] INFO: regipy.recovery: dirty pages: 18
[2020-09-10 02:41:17.224983] INFO: regipy.recovery: Restored 4096 bytes to offset 4096 from offset 49336
[2020-09-10 02:41:17.224983] INFO: regipy.recovery: Restored 4096 bytes to offset 28672 from offset 53432
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 45056 from offset 57528
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 221184 from offset 61624
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 229376 from offset 65720
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 258048 from offset 69816
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 364544 from offset 73912
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 380928 from offset 78008
[2020-09-10 02:41:17.225981] INFO: regipy.recovery: Restored 4096 bytes to offset 389120 from offset 82104
[2020-09-10 02:41:17.226978] INFO: regipy.recovery: Restored 4096 bytes to offset 450560 from offset 86200
[2020-09-10 02:41:17.226978] INFO: regipy.recovery: Restored 4096 bytes to offset 888832 from offset 90296
[2020-09-10 02:41:17.226978] INFO: regipy.recovery: Restored 4096 bytes to offset 913408 from offset 94392
[2020-09-10 02:41:17.226978] INFO: regipy.recovery: Restored 8192 bytes to offset 925696 from offset 98488
[2020-09-10 02:41:17.226978] INFO: regipy.recovery: Restored 4096 bytes to offset 946176 from offset 106680
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Restored 4096 bytes to offset 970752 from offset 110776
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Restored 4096 bytes to offset 983040 from offset 114872
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Restored 8192 bytes to offset 1077248 from offset 118968
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Restored 8192 bytes to offset 1097728 from offset 127160
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Parsing hvle block at 139264
[2020-09-10 02:41:17.227976] INFO: regipy.recovery: Reached a non HvLE object. stopping
[2020-09-10 02:41:17.229970] INFO: regipy.recovery: Log Size: 1101824
[2020-09-10 02:41:17.230967] INFO: regipy.recovery: Parsing hvle block at 512
[2020-09-10 02:41:17.230967] INFO: regipy.recovery: Currently at start of dirty pages: 608
[2020-09-10 02:41:17.230967] INFO: regipy.recovery: seq number: 311
[2020-09-10 02:41:17.230967] INFO: regipy.recovery: dirty pages: 7
[2020-09-10 02:41:17.231965] INFO: regipy.recovery: Restored 323584 bytes to offset 4096 from offset 608
[2020-09-10 02:41:17.231965] INFO: regipy.recovery: Restored 610304 bytes to offset 331776 from offset 324192
[2020-09-10 02:41:17.231965] INFO: regipy.recovery: Restored 4096 bytes to offset 946176 from offset 934496
[2020-09-10 02:41:17.231965] INFO: regipy.recovery: Restored 53248 bytes to offset 954368 from offset 938592
[2020-09-10 02:41:17.231965] INFO: regipy.recovery: Restored 49152 bytes to offset 1011712 from offset 991840
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Restored 20480 bytes to offset 1073152 from offset 1040992
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Restored 16384 bytes to offset 1097728 from offset 1061472
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Parsing hvle block at 1081344
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Currently at start of dirty pages: 1081416
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: seq number: 312
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: dirty pages: 4
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Restored 4096 bytes to offset 4096 from offset 1081416
[2020-09-10 02:41:17.232962] INFO: regipy.recovery: Restored 4096 bytes to offset 24576 from offset 1085512
[2020-09-10 02:41:17.233960] INFO: regipy.recovery: Restored 4096 bytes to offset 380928 from offset 1089608
[2020-09-10 02:41:17.233960] INFO: regipy.recovery: Restored 4096 bytes to offset 393216 from offset 1093704
Recovered 37 dirty pages. Restored hive is at Amcache.hve.regipy

Based on the log above, it seems like it had ignored the second log file - Amcache.hve.LOG2.
Files to reproduce the issue:
Amcache.hve
Amcache.hve.LOG1
Amcache.hve.LOG2
regipy output
yarp output

Regards.

tincho9 · Answer 1 · Sun Sep 13 2020 15:06:41 GMT+0800 (China Standard Time)

I'm still working on it, But I've just noticed that if you apply only the first transaction log the Regipy and Yarp outputs will have the same data, and there will be no missing keys in Regipy. Maybe the sequence numbers in the second hive are not relevant? Still checking that.

msuhanov · Answer 2 · Fri Sep 25 2020 06:21:06 GMT+0800 (China Standard Time)

It seems that this library applies log files in a reversed order (.LOG1 then .LOG2 instead of .LOG2 then .LOG1).

@tincho9, the output is different:

$ yarp-print --deleted Amcache.hve.regipy | grep -a imager
An error has occurred when recovering a hive using a transaction log
$ yarp-print --deleted Amcache.hve.yarp | grep -a imager
Key path: Root\InventoryApplicationFile\ftk imager.exe|3e55de671f868d30
c:\users\administrator\desktop\ftk_imager_lite_3.1.1\ftk imager.exe
ftk imager.exe|3e55de671f868d30
accessdata® ftk® imager

Clearly, there is a missing key.

tincho9 · Answer 3 · Thu Oct 22 2020 15:16:56 GMT+0800 (China Standard Time)

I'm merging and closing this issue, please re-open if there are still any issues.