OneDriveExplorer ODL Parsing Issues

The Issue

Recently, I've been noticing there have been quite a few instances where OneDriveExplorer was unable to parse out some of the ODL logs and in other instances the parameters of the logs are a jumbled mess.

So I tried Yogesh Khatri's OneDrive to see if it was something OneDriveExplore was doing wrong. It generated quite a few "Error in read_string()" and "ERROR writing rows: <class '_csv.Error'> need to escape, but no escapechar set" errors and the same jumbled mess appeared in some of the Params_Decoded field.

Something seems to be amiss.

Finding the issue

There has to be something in the way these tools are handling the data (OneDriveExplore's ODL parsing is based off of Yogesh's work). If we look at Yogesh's blog post, he has laid out nicely the structure of the ODL files.

With this information, I slightly modified OneDriveExplorer to dump out the structures so they could be examined. As it turned out, for some reason, some of the data blocks do not follow this same structure. From the output, I could see the data_len was an absurdly large number, throwing off the parser in both tools.

The fix

I reached out to Yogesh to see if he had noticed any changes with the ODL files. Upon further examination, Yogesh noticed the ODL version had changed along with the structures for the data_block and data had also changed.

With this information, Yogesh and I have updated our tools to parse the ODL files. Running OneDriveExplorer again now shows everything is properly aligned.

Results

Updated parser  = 1,921,804 entries, no errors, parameters parsed properly
Old parser          = 959,819 entries, 15 files could not be read, some parameters jumbled

This ODL version change occurred in v23.180.0828.0001 and later. It might be a good idea to recheck any forensics examinations that have been performed on this version or higher. v23.180.0828.0001 rolled out on 9/01/23 as an insider build so the window is fairly small. The latest release of OneDriveExplorer can be found here.