tag:blogger.com,1999:blog-30542938.post8572003485928796557..comments2022-03-09T23:50:48.838-05:00Comments on JL's stuff: Job File ParserJamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-30542938.post-31767535761580336882016-06-07T14:29:29.849-04:002016-06-07T14:29:29.849-04:00Thanks, Jeff! It's now fixed :-)Thanks, Jeff! It's now fixed :-)Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-26045310843655048802016-06-05T05:56:09.509-04:002016-06-05T05:56:09.509-04:00Hi There, works great, but you're missing two ...Hi There, works great, but you're missing two commas. One on line 31 and one on line 32.<br /><br /> 0x603:"Windows 8.1"<br /> 0xa00:"Windows 10"<br /><br />Best,<br /><br />JeffJeffhttps://www.blogger.com/profile/02633243578560506172noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-14854054436322875822015-09-14T07:11:35.158-04:002015-09-14T07:11:35.158-04:00Hey Gleeda! Your parser inspired me to create a ca...Hey Gleeda! Your parser inspired me to create a carver, see 'at_jobs_carver.py' at http://passionateaboutis.blogspot.com/2015/09/carving-at-job-files.htmlBart Inglothttps://www.blogger.com/profile/17662363915518218416noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-58595946976481322262012-09-06T09:05:53.519-04:002012-09-06T09:05:53.519-04:00No worries! Yeah, I think it's just not writt...No worries! Yeah, I think it's just not written up very clearly. Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-55931464419236945762012-09-06T09:02:46.014-04:002012-09-06T09:02:46.014-04:00That's exactly the MSDN reference that I had i...That's exactly the MSDN reference that I had in mind; sorry, I should have provided that in my comment and realized that you don't have direct access to my thoughts! I struggled with that for a while before discovering Harlan Carvey's article on the subject from 2009 where he cited similar issues.Christian Buiahttps://www.blogger.com/profile/14658722570700807229noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-77634517852710672312012-09-05T09:47:22.531-04:002012-09-05T09:47:22.531-04:00Ah wait, I hit send too quickly. I see that you ar...Ah wait, I hit send too quickly. I see that you are talking about the documentation from here: <a href="http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.13%29.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.13%29.aspx</a>. I think it's just confusing the way they wrote that actually, I'll agree with that :-)Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-2686492794375637152012-09-05T09:43:07.977-04:002012-09-05T09:43:07.977-04:00Hi Christian,
Thanks for comment :-)
Actually, t...Hi Christian,<br /><br />Thanks for comment :-)<br /><br />Actually, the documentation on UUID size should be correct, if you look at: <a href="http://msdn.microsoft.com/en-us/library/aa379358%28v=vs.85%29.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/aa379358%28v=vs.85%29.aspx</a> you see:<br /><br />typedef struct _GUID {<br /> unsigned long Data1; //4 bytes<br /> unsigned short Data2; //2 bytes<br /> unsigned short Data3; //2 bytes<br /> unsigned char Data4[8]; //8 bytes<br />} GUID, UUID;<br /><br />We should end up with 16 bytes total. Looking at the following GUID:<br /><br />20d04fe0-3aea-1069-a2d8-08002b30309d<br /><br />we see we have 32 characters. Each byte is represented by 2 characters of hex and 16 * 2 == 32. <br /><br />Where did you find the extra bytes?Jamie Levyhttps://www.blogger.com/profile/16089000750284843256noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-1041154487522322222012-09-04T18:26:44.906-04:002012-09-04T18:26:44.906-04:00this is hilarious that you just released this. i ...this is hilarious that you just released this. i just spent the w/e creating a netwitness api script that would grab files and do all this parsing in python. your code is nicer and neater than mine :) and more complete, I am only parsing out the more interesting bits of info.<br /><br />did you also have issues with MS' documentation regarding the UUID size in the FIXEDLEN / Header portion? I find that it is still overstated by 2 bytes - let me now what you think...Christian Buiahttps://www.blogger.com/profile/14658722570700807229noreply@blogger.comtag:blogger.com,1999:blog-30542938.post-61036951488845379172012-09-04T18:25:47.069-04:002012-09-04T18:25:47.069-04:00this is hilarious that you just released this. i ...this is hilarious that you just released this. i just spent the w/e creating a netwitness api script that would grab job files from pcap and do all this parsing in python. your code is nicer and neater than mine :) and more complete, I am only parsing out the more interesting bits of info (for now).<br /><br />did you also have issues with MS' documentation regarding the UUID size in the FIXEDLEN / Header portion? I find that it is still overstated by 2 bytes - let me now what you think...can't figure out why it would still be documented as such.<br /><br />ChrisChristian Buiahttps://www.blogger.com/profile/14658722570700807229noreply@blogger.com