Process dump error

[esebese]

When the dump option is enabled, the following error occurs.

"Traceback (most recent call last): File "/app/orochi/utils/volatility_dask_elk.py", line 427, in run_plugin os.mkdir(local_path) FileNotFoundError: [Errno 2] No such file or directory: '/media/8fd9bee0-e4fe-11ee-a1b0-0242ac1b000b/windows.pslist.PsList'"

[dadokkio]

os.makedir returns FileNotFoundError if the parent folder is not available. Can you check if /media/8fd9bee0... folder is present under your media folder and double check permission on that folder?

If you don't enable dump the plugin works?

[esebese]

When I ran it first time without enabling the dump option, it worked. After having this error with dump option, running the same plugin without dump option popped up the same error.

The parent folder is not present. Found this related the error.

The permissions for the /media folder is drwxr-xr-x root root.

[dadokkio]

The problem seems to be related to the fact that main folder /media/8fd9bee0... does not exists anymore. Since that folder contains the main image files all the plugins will now return error and the dump flag will return error because cannot create nested folder if parent is not present.

But I've no idea why this happened in the first place..

[garanews]

This is how looks the folder media: When you upload a file, it is loaded under /media/upload then moved in a automatically generated folder: When you run a plugin on that memory and have enabled the dump (in this case pslist dump), the dumped files will go under plugin folder:

[esebese]

I upload images via "docker cp" to /media/upload folder, then I proceed with management command. Does the folder creation happen either the file is uploaded via WebUI or API?

[dadokkio]

you need to upload the files using gui or api because in that way they take care of creating required folder and related database objects. Doing that operation manually it's no so well documented.

To satisfy your requirement to upload data manually and use it later in the 2.2.0 release (just released) we added the possibility to pick from gui file uploaded manually (see https://github.com/LDO-CERT/orochi/issues/451#issuecomment-1954053808)

[esebese]

Thanks for the info!