No column with this name in table link_table: link_deactivetime #6
Description
When running the tool with the example NTDS.dit file that has been uploaded here: https://blog.didierstevens.com/2016/07/12/practice-ntds-dit-file-part-1/ the following error occurs:
[2024-10-10 11:06:36] [*] Building the schemas, please wait...
Traceback (most recent call last):
File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/table.py", line 106, in column
return self._column_name_map[name]
~~~~~~~~~~~~~~~~~~~~~^^^^^^
KeyError: 'link_deactivetime'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/kali/venv/bin/ntdissector", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/__main__.py", line 80, in main
ntdis = NTDS(options.ntds, options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/ntds/ntds.py", line 115, in __init__
self.__buildSchemas()
File "/home/kali/venv/lib/python3.11/site-packages/ntdissector/ntds/ntds.py", line 274, in __buildSchemas
self.links["to"][_b_DNT].append((record.get("link_DNT"), record.get("link_base"), record.get("link_deltime"), record.get("link_deactivetime"), record.get("link_data")))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/record.py", line 50, in get
column = self._table.column(attr)
^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/venv/lib/python3.11/site-packages/dissect/esedb/table.py", line 108, in column
raise KeyError(f"No column with this name in table {self.name}: {name}")
KeyError: 'No column with this name in table link_table: link_deactivetime'
I made a simple workaround by adding a try except block around the record.get line and the rest of the program extracted correctly, so potentially the best way forward would be making the link_deactivetime attribute optional. I am not familiar with the specifics of different versions of windows, but I speculate that this may be due to the fact that this practice file was created with Windows Server 2003, which may not have used the link_deactivetime column.