trustedsec / tscopy Goto Github PK

Is it possible to add in wildcards to files to be copied?

For example:

TScopy_x64.exe -f c:\Users\John\NTUSER* -o c:\out

where it would copy all NTUSER* files from that directory.

Hey team,

Noticed that there is no license present anywhere in the repository - would it be possible to add one similar to https://github.com/sans-blue-team/DeepBlueCLI/blob/master/LICENSE as a proactive measure as currently it is implied through GitHub terms and policies that usage of this software in any capacity for any purpose is not really allowed.

Thanks,
Joe Avanzato

BTW - Awesome piece of software.

Edge case when the MFT record contains a split or fragmented children a new MFT record is created and is referenced by the ATTRIBUTE_LIST. (0x30).

I've downloaded the latest build shown as of last month for TScopy_x64.exe

I'm on Windows 2010 x64
Microsoft Windows [Version 10.0.19044.1526]

I wrote a small batch to try to back up my profile to another drive. The program worked well to copy specific hive files but I received the error below when running the batch and only a handful of files and folders were copied. I disabled Windows Defender real-time protection just in case. No change.

:: BATCH
@echo Off
C:\Backup\Admin\batch\TScopy_x64.exe -r -o "H:\BACKUP" -f c:\users\pc*
pause

Output from running the program

2022-02-13 20:36:19,851 - tscopy - INFO - Copying c:\users\pc\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.tmcontainer00000000000000000002.regtrans-ms to H:\BACKUP\users\pc\ntuser.dat{53b39e88-18c4-11ea-a811-000d3aa4692b}.tmcontainer00000000000000000002.regtrans-ms
2022-02-13 20:36:19,867 - tscopy - INFO - Copying c:\users\pc.shadow to H:\BACKUP\users\pc.shadow
2022-02-13 20:36:20,332 - tscopy - INFO - Copying c:\users\pc.vscode to H:\BACKUP\users\pc.vscode
2022-02-13 20:38:36,638 - tscopy - INFO - Copying c:\users\pc\advanced_port_scanner_comments.bin to H:\BACKUP\users\pc\advanced_port_scanner_comments.bin
2022-02-13 20:38:36,654 - tscopy - INFO - Copying c:\users\pc\downloads to H:\BACKUP\users\pc\downloads
2022-02-13 20:38:36,661 - tscopy - INFO - Copying c:\users\pc\recent to H:\BACKUP\users\pc\recent
2022-02-13 20:38:36,668 - tscopy - INFO - Copying c:\users\pc\saved games to H:\BACKUP\users\pc\saved games
2022-02-13 20:38:36,678 - tscopy - INFO - Copying c:\users\pc\ntuser.dat to H:\BACKUP\users\pc\ntuser.dat
2022-02-13 20:38:36,733 - tscopy - INFO - Copying c:\users\pc\intel to H:\BACKUP\users\pc\intel
2022-02-13 20:38:36,789 - tscopy - INFO - Copying c:\users\pc.idlerc to H:\BACKUP\users\pc.idlerc
2022-02-13 20:38:36,799 - tscopy - INFO - Copying c:\users\pc\cisco packet tracer 8.1.0 to H:\BACKUP\users\pc\cisco packet tracer 8.1.0
2022-02-13 20:38:36,838 - tscopy - INFO - Copying c:\users\pc\cookies to H:\BACKUP\users\pc\cookies
2022-02-13 20:38:36,845 - tscopy - INFO - Copying c:\users\pc\advanced_port_scanner_aliases.bin to H:\BACKUP\users\pc\advanced_port_scanner_aliases.bin
2022-02-13 20:38:36,858 - tscopy - INFO - Copying c:\users\pc\tracing to H:\BACKUP\users\pc\tracing
2022-02-13 20:38:36,871 - tscopy - INFO - Copying c:\users\pc\onedrive to H:\BACKUP\users\pc\onedrive
2022-02-13 20:38:36,880 - tscopy - ERROR - Traceback (most recent call last):
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 492, in __copyfile
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 371, in __copydir
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 395, in __copydirfiles
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 542, in __getChildIndex
AttributeError: 'Attribute' object has no attribute 'value'

2022-02-13 20:38:36,884 - tscopy - INFO - Job Took 137.84100008010864 seconds
Press any key to continue . . .

In tscopy.py there are three (3) spots where the MFT file pointer is incremented by a hardcoded value of 0x400. This is not the case is all drives. This value should be determined dynamically.

If a file in Windows has a long file name, TSCopy will copy it out twice - once as the long name and once as the shortened name.

This can be replicated by copying out the c:\Windows\System32\winevt\Logs directory with the following command:

C:\Users\john\Desktop\tscopy-master\dist\TScopy_x64.exe -d C:\Windows\System32\winevt\Logs -o c:\temp\test1\tscopy

The resulting copied files are listed in at https://pastebin.com/pD90EqsU. Of note are entries like the following:

10/27/2020 02:28 PM 69,632 MI013A1.EVT
10/27/2020 02:28 PM 1,052,672 MI01EB1.EVT
10/27/2020 02:28 PM 69,632 MI02C41.EVT
10/27/2020 02:28 PM 69,632 MI033E1.EVT
10/27/2020 02:28 PM 69,632 MI03A71.EVT
10/27/2020 02:28 PM 69,632 MI10551.EVT
10/27/2020 02:28 PM 69,632 MI1129~1.EVT

Its not easily possible with the copy to trace back the short names to their long names.

I tried export $UsnJrnl and $J with tscopy.

But error occurred in (def __parse_attribute_data( self, attribute ):) method.

Reduces the need for TSIR to keep parsing the mft.pickle file when used as part of a larger toolset.

In the TScopy class if the configuration values are incorrect the program exits using sys.exit. This needs to be changed to raising an exception. If this is used as part of another tool this will break.

Running something like : tscopy_x64 -r -o C:\Collection\TScopy\MFT -f *:$MFT

Currently it isn't possible if the user wanted to copy a $MFT file from all volumes on the system.

Supporting some kind of option or wildcard to check the root of all volumes and copy it down would help when running TSCopy in mass and you don't know the specific drive letters on the system.

C:\TScopy_x64>TScopy_x64.exe -f c:\windows\system32\config\ -o c:\test
2024-02-23 20:43:33,957 - tscopy - INFO - Copying c:\windows\system32\config to c:\test\windows\system32\config
2024-02-23 20:43:33,957 - tscopy - ERROR - Traceback (most recent call last):
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 475, in __copyfile
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 912, in __get_file_mft_seqid
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 318, in __search_mft
File "C:\Users\tsir\Desktop\sandbox\tscopy-2021-08-31\TScopy\tscopy.py", line 539, in __getChildIndex
AttributeError: 'Attribute' object has no attribute 'value'

2024-02-23 20:43:33,959 - tscopy - INFO - Job Took 0.08600020408630371 seconds

Produces only mft.PICKLE file.

It would be nice to have an option to recursively copy the contents of a directory and not just the directory itse.f

As shown by the following command output, I used *:$MFT to copy all drive letters, but TSCOPY outputs to the same folder, so in the end, I only got the last copied $MFT.

D:\test> ./TScopy_x64.exe -f '*:$MFT' -o ./tscopy -i
2023-05-22 09:44:44,594 - tscopy - INFO - Copying C:$MFT to ./tscopy$MFT
2023-05-22 09:44:47,250 - tscopy - INFO - Copying D:$MFT to ./tscopy$MFT
2023-05-22 09:44:52,717 - tscopy - INFO - Copying E:$MFT to ./tscopy$MFT

2023-05-22 09:44:55,812 - tscopy - INFO - Copying F:$MFT to ./tscopy$MFT
2023-05-22 09:44:56,062 - tscopy - INFO - Job Took 11.656000137329102 seconds

D:\test> ls tscopy
Directory listing for D:\chts\tscopy -

Name　　　Type　　　Size (bytes)　　　Size (MB)　　　Last Modified　　　Created
$MFT　　　　　　　　　32243712　　　30.75 2023/5/22 AM 09:44:56 2023/5/22 PM 09:42:41
mft.pickle

For files only the DATA attribute was being processed to copy the data for the file. Added the ability to parse ATTRIBTUBE_LISTs. This is useful for large files or heavily edited files like the SOFTWARE registry hive.