JumpList and Browser_History Parsing ERROR

[nikitah4x]

Describe the bug
JumpList and Browser_History error in parsing

To Reproduce
Steps to reproduce the behavior:

1. Parse AutomaticDestinations/f01b4d95cf55d32a.automaticDestinations-ms, WebCacheV01.dat

Screenshots

Additional context
"2023-05-03 09:00:42.985303","[DEBUG]","parser_management.py.start_parsing[Lin.188]","parser","Parser[Browser_History]: Start parsing the file: ","/app/files/files//-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users///AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat" "2023-05-03 09:00:42.993091","[ERROR]","parser_management.py.start_parsing[Lin.251]","parser","Parser[Browser_History]: Failed parsing file [/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users///AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat]","Browser_History Parser: pyesedb_file_open_file_object: unable to open file. libesedb_file_header_read_data: mismatch in file header checksum ( 0x3c569a0a != 0x287beb04 ). libesedb_file_header_read_file_io_handle: unable to read file header. libesedb_file_open_read: unable to read file header. libesedb_file_open_file_io_handle: unable to read from file handle. - Line No. 12" "2023-05-03 09:00:43.033848","[DEBUG]","parser_management.py.start_parsing[Lin.188]","parser","Parser[Browser_History]: Start parsing the file: ","/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/Admin/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat" "2023-05-03 09:00:43.039864","[ERROR]","parser_management.py.start_parsing[Lin.251]","parser","Parser[Browser_History]: Failed parsing file [/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/Admin/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat]","Browser_History Parser: pyesedb_file_open_file_object: unable to open file. libesedb_catalog_definition_read_data: unsupported last fixed size data type: 13. libesedb_catalog_read_value_data: unable to read catalog definition. libesedb_catalog_read_values_from_leaf_page: unable to read catalog value. libesedb_catalog_read_file_io_handle: unable to read values from page: 13. libesedb_file_open_read: unable to read catalog. libesedb_file_open_file_io_handle: unable to read from file handle. - Line No. 12" "2023-05-03 09:01:01.584703","[DEBUG]","parser_management.py.start_parsing[Lin.188]","parser","Parser[Browser_History]: Start parsing the file: ","/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/admin2/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat" "2023-05-03 09:01:01.599893","[ERROR]","parser_management.py.start_parsing[Lin.251]","parser","Parser[Browser_History]: Failed parsing file [/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/admin2/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat]","Browser_History Parser: pyesedb_file_open_file_object: unable to open file. libesedb_file_header_read_data: mismatch in file header checksum ( 0xd7331be8 != 0xc8465bd8 ). libesedb_file_header_read_file_io_handle: unable to read file header. libesedb_file_open_read: unable to read file header. libesedb_file_open_file_io_handle: unable to read from file handle. - Line No. 12

"2023-05-03 08:59:55.411354","[ERROR]","parser_management.py.start_parsing[Lin.251]","parser","Parser[JumpList]: Failed parsing file [/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/Admin/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f01b4d95cf55d32a.automaticDestinations-ms]","Failed UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 1060-1061: illegal UTF-16 surrogate - Line No. 20" "2023-05-03 08:59:55.455393","[DEBUG]","parser_management.py.start_parsing[Lin.188]","parser","Parser[JumpList]: Start parsing the file: ","/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/admin2/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f01b4d95cf55d32a.automaticDestinations-ms" "2023-05-03 08:59:55.512891","[ERROR]","parser_management.py.start_parsing[Lin.251]","parser","Parser[JumpList]: Failed parsing file [/app/files/files//////_DESKTOP-DRH3F1G/2023-04-24T16:13:18-DESKTOP-DRH3F1G.zip/c/Users/admin2/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/f01b4d95cf55d32a.automaticDestinations-ms]","Failed UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 148-149: illegal encoding - Line No. 20"

[salehmuhaysin]

usually this occurs if the file corrupted

[IUSecHCMIU]

Hi dude, did you fix it? Same problems with SRUM parser here

[salehmuhaysin]

hi,
the main problem from the used library to open ESE database libesedb, which used by these parsers,
sometimes it fails due to some structure of the file, no sure if there is another library to handle ESE database files.

[congtrung2k1]

hi,
the main problem from the used library to open ESE database libesedb, which used by these parsers,
sometimes it fails due to some structure of the file, no sure if there is another library to handle ESE database files.

Hi,
I tested it with the new version of libesedb by reinstalling it inside the container last week. It worked well when I ran "python scrum_interface.py" but when I use "Process" feature, somehow it recreated an error.

[IUSecHCMIU]

hi,
the main problem from the used library to open ESE database libesedb, which used by these parsers,
sometimes it fails due to some structure of the file, no sure if there is another library to handle ESE database files.

Hi, I tested it with the new version of libesedb by reinstalling it inside the container last week. It worked well when I ran "python scrum_interface.py" but when I use "Process" feature, somehow it recreated an error.

here is the poc of an error. While it works perfectly inside the container.