Merge branch 'main' into release/10.2.x

CHANGELOG.md

@@ -1,5 +1,27 @@
 # ChangeLog
 
+## [10.2.5] - 2024-06-07
+### Added
+- Outcome: add outcome.system_type (Workstation...)
+- Outline: add outline.system_type (Workstation...)
+- Outline: add outline.system.hypervisor
+- Outline: add system.codepage and codepage_name
+- Outline: add command's timeout configuration
+- Outline: add command's expected output files
+- WolfLauncher: add pattern {RunId} to use within configuration files
+- WolfLauncher: BITS: add option 'delete_smb_share' to delete smb share after upload
+
+### Changed
+- Outline: set outline.computer_name with /FullComputer
+- Outline: set outline.system[.name|.fullname] with host's name
+- Outcome: set outcome.computer_name with /FullComputer
+- Outcome: replace status 'running_command' with 'live'
+
+### Fixed
+- WolfLauncher: fix cpu weight configuration
+- Ntfsinfo: volstat output
+
+
 ## [10.2.4] - 2024-02-02
 ### Added
 - Outline: add install_date, install_time and shutdown_time filled from registry

cmake/Orc.cmake

@@ -9,8 +9,10 @@
 
 macro(orc_add_compile_options)
 
-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED ON)
+if (NOT DEFINED CMAKE_CXX_STANDARD)
+    set(CMAKE_CXX_STANDARD 17)
+    set(CMAKE_CXX_STANDARD_REQUIRED ON)
+endif()
 
 add_compile_definitions(
     UNICODE

src/OrcCommand/Command/FastFind/FastFind_Run.cpp

@@ -671,7 +671,7 @@ HRESULT Main::Run()
             pStructuredOutput->WriteNamed(L"os", strSystemDescr.c_str());
 
         std::wstring strSystemRole;
-        if (SUCCEEDED(SystemDetails::GetSystemType(strSystemRole)))
+        if (SUCCEEDED(SystemDetails::GetOrcSystemType(strSystemRole)))
             pStructuredOutput->WriteNamed(L"role", strSystemRole.c_str());
     }
 

src/OrcCommand/Command/NTFSInfo/NTFSInfo_Run.cpp

@@ -695,20 +695,36 @@ HRESULT Main::WriteVolStats(
             outputPaths = it->second;
         }
 
-        auto reader = loc->GetReader();
+        auto ntfsReader = loc->GetReader();
 
-        if (reader == nullptr)
+        if (ntfsReader == nullptr)
         {
             return E_FAIL;
         }
 
+        if (ntfsReader->VolumeSerialNumber() == 0)
+        {
+            int debug = 0;
+        }
+
+        std::shared_ptr<VolumeReader> reader;
+        auto shadow = loc->GetShadow();
+        if (shadow && shadow->parentVolume)
+        {
+            reader = shadow->parentVolume;
+        }
+        else
+        {
+            reader = ntfsReader;
+        }
+
         SystemDetails::WriteComputerName(volStatOutput);
         volStatOutput.WriteInteger(reader->VolumeSerialNumber());
         volStatOutput.WriteString(reader->GetLocation());
         volStatOutput.WriteString(FSVBR::GetFSName(reader->GetFSType()).c_str());
         volStatOutput.WriteBool(loc->GetParse());
         volStatOutput.WriteString(fmt::format(L"{}", fmt::join(loc->GetPaths(), L";")));
-        volStatOutput.WriteString(loc->GetShadow() ? ToStringW(loc->GetShadow()->guid).c_str() : L"");
+        volStatOutput.WriteString(shadow ? ToStringW(shadow->guid).c_str() : L"{00000000-0000-0000-0000-000000000000}");
 
         if (!outputPaths)
         {
@@ -823,7 +839,6 @@ HRESULT Main::RunThroughMFT()
             Log::Error("Failed to create writers for NTFSInfo [{}]", SystemError(hr));
             return hr;
         }
-
     }
 
     auto fileinfoIterator = begin(m_FileInfoOutput.Outputs());

src/OrcCommand/Command/WolfLauncher/Outcome.cpp

@@ -149,7 +149,7 @@ std::string ToString(Outcome::Archive::InputType inputType)
         case Outcome::Archive::InputType::kOffline:
             return "offline";
         case Outcome::Archive::InputType::kRunningSystem:
-            return "running_system";
+            return "live";
     }
 
     return "<unknown>";
@@ -375,10 +375,10 @@ Orc::Result<void> Write(const Outcome& outcome, StructuredOutputWriter::IWriter:
                 writer->WriteNamed(L"end", *endingTime);
             }
 
-            writer->WriteNamed(L"computer_name", outcome.GetComputerNameValue());
+            writer->WriteNamed(L"computer_name", outcome.GetOrcComputerNameValue());
+            writer->WriteNamed(L"system_type", outcome.GetOrcSystemTypeValue());
 
             ::Write(writer, outcome.GetMothership());
-
             ::Write(writer, outcome.GetWolfLauncher());
 
             {

src/OrcCommand/Command/WolfLauncher/Outcome.h

@@ -407,6 +407,12 @@ class Outcome
     const std::wstring& GetComputerNameValue() const { return m_computerName; }
     void SetComputerNameValue(std::wstring name) { m_computerName = std::move(name); }
 
+    const std::wstring& GetOrcComputerNameValue() const { return m_orcComputerName; }
+    void SetOrcComputerNameValue(std::wstring name) { m_orcComputerName = std::move(name); }
+
+    const std::wstring& GetOrcSystemTypeValue() const { return m_orcSystemType; }
+    void SetOrcSystemTypeValue(std::wstring type) { m_orcSystemType = std::move(type); }
+
     // Timestamp is used as a unique identifier between orc execution and multiple files
     std::wstring GetTimestampKey() const { return m_timestamp; }
     void SetTimestampKey(const std::wstring& timestamp) { m_timestamp = timestamp; }
@@ -439,6 +445,8 @@ class Outcome
     mutable std::mutex m_mutex;
     GUID m_id;
     std::wstring m_computerName;
+    std::wstring m_orcComputerName;
+    std::wstring m_orcSystemType;
     Mothership m_mothership;
     std::wstring m_consoleFileName;
     std::wstring m_logFileName;

src/OrcCommand/Command/WolfLauncher/WolfExecution_Config.cpp

@@ -266,7 +266,7 @@ CommandMessage::Message WolfExecution::SetCommandFromConfigItem(const ConfigItem
         const wstring& requiredSystemTypes = item[WOLFLAUNCHER_COMMAND_SYSTEMTYPE];
         wstring strProductType;
 
-        if (FAILED(hr = SystemDetails::GetSystemType(strProductType)))
+        if (FAILED(hr = SystemDetails::GetOrcSystemType(strProductType)))
         {
             Log::Error("Failed to retrieve system product type [{}]", SystemError(hr));
             return nullptr;
@@ -558,7 +558,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         LARGE_INTEGER li;
         if (FAILED(hr = GetFileSizeFromArg(item[WOLFLAUNCHER_JOBMEMORY].c_str(), li)))
+        {
+            Log::Debug(
+                L"Failed GetFileSizeFromArg on WOLFLAUNCHER_JOBMEMORY (value: {})",
+                item[WOLFLAUNCHER_JOBMEMORY].c_str());
             return hr;
+        }
 
         if (arch == PROCESSOR_ARCHITECTURE_INTEL && li.QuadPart > MAXDWORD)
         {
@@ -581,7 +586,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         LARGE_INTEGER li;
         if (FAILED(hr = GetFileSizeFromArg(item[WOLFLAUNCHER_PROCESSMEMORY].c_str(), li)))
+        {
+            Log::Debug(
+                L"Failed GetFileSizeFromArg on WOLFLAUNCHER_PROCESSMEMORY (value: {})",
+                item[WOLFLAUNCHER_PROCESSMEMORY].c_str());
             return hr;
+        }
 
         if (arch == PROCESSOR_ARCHITECTURE_INTEL && li.QuadPart > MAXDWORD)
         {
@@ -605,7 +615,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         LARGE_INTEGER li;
         if (FAILED(hr = GetIntegerFromArg(item[WOLFLAUNCHER_ELAPSEDTIME].c_str(), li)))
+        {
+            Log::Debug(
+                L"Failed GetIntegerFromArg on WOLFLAUNCHER_ELAPSEDTIME (value: {})",
+                item[WOLFLAUNCHER_ELAPSEDTIME].c_str());
             return hr;
+        }
 
         if (arch == PROCESSOR_ARCHITECTURE_INTEL && li.QuadPart > MAXDWORD)
         {
@@ -620,7 +635,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         LARGE_INTEGER li;
         if (FAILED(hr = GetIntegerFromArg(item[WOLFLAUNCHER_JOBUSERTIME].c_str(), li)))
+        {
+            Log::Debug(
+                L"Failed GetIntegerFromArg on WOLFLAUNCHER_JOBUSERTIME (value: {})",
+                item[WOLFLAUNCHER_JOBUSERTIME].c_str());
             return hr;
+        }
 
         if (arch == PROCESSOR_ARCHITECTURE_INTEL && li.QuadPart > MAXDWORD)
         {
@@ -643,7 +663,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         LARGE_INTEGER li;
         if (FAILED(hr = GetIntegerFromArg(item[WOLFLAUNCHER_PERPROCESSUSERTIME].c_str(), li)))
+        {
+            Log::Debug(
+                L"Failed GetIntegerFromArg on WOLFLAUNCHER_PERPROCESSUSERTIME (value: {})",
+                item[WOLFLAUNCHER_PERPROCESSUSERTIME].c_str());
             return hr;
+        }
 
         if (arch == PROCESSOR_ARCHITECTURE_INTEL && li.QuadPart > MAXDWORD)
         {
@@ -671,7 +696,12 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     {
         DWORD percentage = 0;
         if (FAILED(hr = GetPercentageFromArg(item[WOLFLAUNCHER_CPU_RATE].c_str(), percentage)))
+        {
+            Log::Debug(
+                L"Failed GetPercentageFromArg on WOLFLAUNCHER_CPU_RATE (value: {})",
+                item[WOLFLAUNCHER_CPU_RATE].c_str());
             return hr;
+        }
 
         if (!m_Restrictions.CpuRateControl)
         {
@@ -686,8 +716,13 @@ HRESULT WolfExecution::SetRestrictionsFromConfig(const ConfigItem& item)
     else if (item[WOLFLAUNCHER_CPU_WEIGHT])
     {
         DWORD weight = 0;
-        if (FAILED(hr = GetIntegerFromArg(item[WOLFLAUNCHER_CPU_RATE].c_str(), weight)))
+        if (FAILED(hr = GetIntegerFromArg(item[WOLFLAUNCHER_CPU_WEIGHT].c_str(), weight)))
+        {
+            Log::Debug(
+                L"Failed GetIntegerFromArg on WOLFLAUNCHER_CPU_WEIGHT (value: {})",
+                item[WOLFLAUNCHER_CPU_WEIGHT].c_str());
             return hr;
+        }
 
         if (!m_Restrictions.CpuRateControl)
         {

src/OrcCommand/Command/WolfLauncher/WolfLauncher.h

@@ -215,7 +215,6 @@ class ORCUTILS_API Main : public UtilitiesMain
     void ReadLogConfiguration(const ConfigItem& configItem, bool hasConsoleConfigItem);
 
 private:
-    GUID m_guid;
     ConsoleConfiguration m_consoleConfiguration;
 
     Journal m_journal;

src/OrcCommand/Command/WolfLauncher/WolfLauncher_Config.cpp

@@ -774,14 +774,18 @@ HRESULT Main::CheckConfiguration()
 {
     HRESULT hr = E_FAIL;
 
-    hr = CoCreateGuid(&m_guid);
+    GUID guid;
+    hr = CoCreateGuid(&guid);
     if (FAILED(hr))
     {
         Log::Error("Failed to initialize execution guid [{}]", SystemError(hr));
-        SecureZeroMemory(&m_guid, sizeof(m_guid));
+        SecureZeroMemory(&guid, sizeof(guid));
         hr = S_OK;  // keep going
     }
 
+    SystemDetails::SetOrcRunId(guid);
+    Log::Debug(L"Starting DFIR-Orc (run id: {})", ToStringW(guid));
+
     if (m_consoleConfiguration.output.path)
     {
         m_consoleConfiguration.output.path =
@@ -799,7 +803,7 @@ HRESULT Main::CheckConfiguration()
 
     if (m_utilitiesConfig.log.logFile)
     {
-        // Deprecated: 10.0.x compatilbility options
+        // Deprecated: 10.0.x compatibility options
         // Apply the output directory path to the log file
         logPath = fs::path(config.Output.Path) / fs::path(*m_utilitiesConfig.log.logFile).filename();
         m_utilitiesConfig.log.logFile = logPath;

src/OrcCommand/Command/WolfLauncher/WolfLauncher_Output.cpp

@@ -169,6 +169,8 @@ void Main::PrintParameters()
 
     PrintCommonParameters(node);
 
+    PrintValue(node, L"Run ID", ToStringW(SystemDetails::GetOrcRunId()));
+
     PrintValue(
         node,
         L"Console file",