Lyman’s purpose is to aid in the creation of .cstruct files. These files help to parse OneDrive logs into their components which can lead to better log decryption. By focusing on the data rather than trying to learn how to construct these files, it becomes easier to extract data that otherwise might be missed or misinterpreted.
But what does that mean?
By the nature of the way ODL files are parsed, they don't always decrypt properly. This is because the parameters of the log are extracted using a regex looking for ascii charaters. The example below shows a parameter that is not being decrypted. This is due to the regex incluiding a E at the end of the parameter when it should not be included.
How does Lyman help?
OneDriveExplorer has a lesser known feature that can aid in handling issues such as this through the use of cstruct "mapping" files. The downside to this is you need to know the ODL file structure, find what you're looking for and figure out how to write one of these files. This is where Lyman comes in. Let's walk through our log entry and get it to parse properly.
First thing we'll do is launch Lyman. You should see a screen like the one below.
Next we want to click ...
And select the log file we want to look at.
The next steps are used to find the log entry in question. As a not, the first match will populate so it may notbee the same exact entry you were looking at. This involves selecting the Code_File, Function, and the Flags.
Then finally we can select search.
With any luck, there should be data populated in Lyman.
To begin, click the add button twice and set the dropdowns to int32 and char. In the entry boxes put size1 and data1[size1] and click the green check mark.
The parsed data will populate in the right pane.
We will continue this process until all the data is parsed.
Fill out the rest of the form then select File -> Export cstruct
This will create the cstruct file in the directory Lyman was ran from. Copy this file into OneDriveExplorer’s cstructs folder.
Now when we run OneDriveExplorer again, the log entry will decrypt properly.
Conclusion
This is where Lyman becomes invaluable. Lyman manages all these complexities, allowing users to focus on finding data rather than deciphering the intricacies of the log file format. By using Lyman, a more robust solution for parsing OneDrive logs can be developed, contributing back to the ODEFiles repository Beercow/ODEFiles (github.com).
Lyman can be downloaded from (github.com)
No comments:
Post a Comment