Database Filename Issues on Windows about cdqr HOT 6 CLOSED

What version of Windows are you running on and can you show me the command string you used to run CDQR?

from cdqr.

Windows 7 64bit

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Loading personal and system profiles took 1369ms.
Z:\> cd C:\tools\
C:\tools> .\cdqr.exe --max_cpu g:\ C:\some\folder\cdqrresults\
CDQR Version: 3.1.3
Plaso Version: 1.5
Using parser: win
Number of cpu cores to use: 4
Source data: g:
Destination Folder: C:/some/folder/cdqrresults
Database File: C:/some/folder/cdqrresults/g:.db
SuperTimeline CSV File: C:/some/folder/cdqrresults/g:.SuperTimeline.csv


C:/some/folder/cdqrresults/g:.log
Processing started at: 2017-07-06 11:53:37.166546
Parsing image
"plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies
,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,
explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_dr
ive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mru
listex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,network_drive
s,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassi
st,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,wind
ows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,wi
nevtx,winfirewall,winjob,winlogon,winrar_mru,winreg,winreg_default" "--hashers" "md5" "--workers" "4" "C:/some/folder/cd
qrresults/g:.db" "g:"

from cdqr.

Looking at the output it's also obviously going to be a problem for the log file, the supertimeline file, etc containing the colon.

from cdqr.

Thanks for reporting this. It will be an issue for older versions of Windows for sure. It works fine in Window 10 so I'm going to imagine Win 8+, Linux and Mac will handle the ":" in the filename.

It's definitely something that can be fixed. Adding it as a bug to fix. Thanks again!

from cdqr.

There is a work around today. Simply copy / paste the log2timeilne command and change the output filename. Once you have that you can trick CDQR to use that by following this example from your code pasted above:

plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,network_drives,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfirewall,winjob,winlogon,winrar_mru,winreg,winreg_default" "--hashers" "md5" "--workers" "4" "C:/some/folder/cdqrresults/g_drive.db" "g:"

MAKE A COPY OF THE .db FILE

Create file g_drive
echo " " > g_drive

Then run cdqr in this way

C:\tools> .\cdqr.exe --max_cpu g_drive "C:/some/folder/cdqrresults/g_drive.db"

Follow the prompts to keep the files (should be all the defaults) and it'll will use the g_drive.db for the rest of the processing.

from cdqr.

Fixed in v4.0.0

Closing

from cdqr.