parse_ese plugin misreading ESE table contents

[AlexSta2019]

Description:

Velociraptor parse_ese plugin seems to return values which do not correspond to the data from the ESE tables - see attached snip with IdIndex from SruDbIdMapTable, where the table shows max index at 50570, while Velociraptor displays much higher indices.

Similarly, when executing the Windows.Forensics.SRUM artifact, the srum_lookup_id function is unable to open the srudb.dat from default location (it seems the header of the file does not match the expectations of the parser). I attached screenshot of the srudb.dat header and logs stacked by message column (I hope this helps).

Platform:

• Windows 11 (Build 26200)
• Velociraptor 0.75.6

Steps to reproduce:

[test 1] built-in artifact > error message related to ESE header

1. Installed Velociraptor MSI on Windows 11
2. Launched collection using artifact Windows.Forensics.SRUM with default parameters
3. Collected screenshots, notebook results and flow logs.
   NOTE: the screenshot with the column App stacked is from the artifact source "Execution Stats".

[test 2] parse content of ESE table > wrong listing of IdIndex values.

1. In the shell GUI section of the same Windows 11 client
2. Lunached SELECT * FROM parse_ese(file='D:/srudb.dat', table="SruDbIdMapTable")
3. Results show a lot of lines with no IdIndex or values which exceed the max IdIndex value from SruDbIdMapTable (of srudb.dat).

Attachments:

Forensics.SRUM_Flow_Logs.json

[scudette]

Thanks for reporting this! This is now fixed by Velocidex/go-ese#28

Incidentally this is caused by new changes to the ESE format with Win11