Parsing WebCacheV01.dat File From Windows 10

[Steven Duong]

Hello! Has anyone else encountered issues with parsing a WebCacheV01.dat file obtained from a Windows 10 system?

I'm using the latest version of Log2timeline from a SIFT workstation VM and cannot successfully parse the file. The resulting plaso file indicates there are 0 events. However, I can successfully parse the same WebCacheV01.dat file using other tools.

Just wondering if this is a known issue regarding the WebCacheV01.dat artifact from windows 10 systems. Thanks in advance!

$ log2timeline.py --version
plaso - log2timeline version 20191203

$ log2timeline.py test.plaso WebCacheV01.dat
2019-12-30 16:58:43,531 [INFO] (MainProcess) PID:4907 <data_location> Determined data location: /usr/local/lib/python2.7/dist-packages/plaso-20191203-py2.7.egg/share/plaso

2019-12-30 16:58:43,576 [INFO] (MainProcess) PID:4907 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts

Checking availability and versions of dependencies.

[OK]

Source path : /home/sansforensics/Desktop/WebCacheV01.dat

Source type : single file

Processing time : 00:00:00

Processing started.

plaso - log2timeline version 20191203

Source path : /home/sansforensics/Desktop/WebCacheV01.dat

Source type : single file

Processing time : 00:00:01

Identifier PID Status Memory Sources Events File

Main 4907 collecting 124.6 MiB 0 (0) 0 (0)

[Joachim Metz]

Steven, which version of Windows 10?

You are likely running into this issue https://github.com/log2timeline/plaso/issues/2789

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/log2timeline-discuss/f3ff7f6f-4fc0-4b5d-903a-02ede4d3c847%40googlegroups.com.