search

google / timesketch

Collaborative forensic timeline analysis
Apache License 2.0
2.62k stars 589 forks source link

Not able to import plaso file via GUI #2997

Closed denizciftci-sec closed 11 months ago

denizciftci-sec commented 11 months ago

Hi Team,

I have the following errors when I try to import .plaso output via GUI. image

I am using the old version of the plaso binary: root@remnux:/opt/kaperesults# log2timeline.py -V plaso - log2timeline version 20220724

The timesketch version is the latest: 

root@remnux:/opt/kaperesults# docker ps
CONTAINER ID   IMAGE                                                            COMMAND                  CREATED          STATUS          PORTS                                                                      NAMES
c31e3bc8b9ed   us-docker.pkg.dev/osdfir-registry/timesketch/timesketch:latest   "/docker-entrypoint.…"   44 minutes ago   Up 44 minutes                                                                              timesketch-worker
ee774a52effe   nginx:1.19.3-alpine                                              "/docker-entrypoint.…"   44 minutes ago   Up 44 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx
558f5c875ec3   opensearchproject/opensearch:2.9.0                               "./opensearch-docker…"   44 minutes ago   Up 44 minutes   9200/tcp, 9300/tcp, 9600/tcp, 9650/tcp                                     opensearch
6fd5b4dbb1eb   us-docker.pkg.dev/osdfir-registry/timesketch/timesketch:latest   "/docker-entrypoint.…"   44 minutes ago   Up 44 minutes                                                                              timesketch-web
13bc8e441de9   us-docker.pkg.dev/osdfir-registry/timesketch/timesketch:latest   "/docker-entrypoint.…"   44 minutes ago   Up 44 minutes                                                                              timesketch-web-legacy
2317815bf7cb   redis:6.0.8-alpine                                               "docker-entrypoint.s…"   44 minutes ago   Up 44 minutes   6379/tcp                                                                   redis
c117561878d4   postgres:13.0-alpine                                             "docker-entrypoint.s…"   44 minutes ago   Up 44 minutes   5432/tcp                                                                   postgres

I generated the plaso file as follows and no error returned> log2timeline.py --stroage_file timeline.plaso C/

Could you please assist me in this manner? What kind of version should I use for successful import?

root@remnux:/opt/kaperesults# pinfo.py timeline.plaso 2023-11-27 10:31:53,087 [WARNING] (MainProcess) PID:16950 This version of plaso is more than 6 months old. WARNING: the version of plaso you are using is more than 6 months old. We strongly recommend to update it.

** Plaso Storage Information *** Filename : timeline.plaso Format version : 20220716 Serialization format : json

Sessions 76933668-6875-460c-af90-511541df5909 : 2023-11-27T10:05:16.331846+00:00

**** Event sources ***** Total : 802

***** Events generated per parser ** Parser (plugin) name : Number of events

                         amcache : 1965
                  appcompatcache : 1024
                          bagmru : 390
                             bam : 48
           explorer_mountpoints2 : 4
          explorer_programscache : 1
                        filestat : 2406
                             lnk : 296
                  mrulist_string : 22
       mrulistex_shell_item_list : 7
                mrulistex_string : 3

mrulistex_string_and_shell_item_list : 1 msie_zone : 36 networks : 12 olecf_automatic_destinations : 18 olecf_default : 8 prefetch : 998 recycle_bin : 1 setupapi : 162 shell_items : 1602 windows_boot_execute : 2 windows_run : 10 windows_sam_users : 8 windows_services : 588 windows_shutdown : 2 windows_task_cache : 537 windows_timezone : 1 windows_typed_urls : 5 windows_usb_devices : 7 windows_usbstor_devices : 4 windows_version : 4 winevtx : 223030 winlogon : 4 winreg_default : 319063 Total : 552269

No events labels stored.

Extraction warnings generated per parser Parser (plugin) name : Number of warnings

                winreg/amcache : 1
                   <No parser> : 1

olecf/olecf_automatic_destinations : 1

** Path specifications with most extraction warnings *** Number of warnings : Pathspec

             2 : type: OS, location:
                 /opt/kaperesults/C/Windows/AppCompat/Programs/Amcache.hve
             1 : type: OS, location:
                 /opt/kaperesults/C/Users/REM/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/c58fe4bc6db07168.automaticDestinations-ms

**** Recovery warnings generated per parser **** Parser (plugin) name : Number of warnings

         winevtx : 1970

*** Path specifications with most recovery warnings **** Number of warnings : Pathspec

           107 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-HelloForBusiness%4Operational.evtx
           106 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
           105 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/ThinPrint
                 Diagnostics.evtx
           101 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
            95 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-SMBServer%4Operational.evtx
            91 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-AppReadiness%4Operational.evtx
            87 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Windows
                 PowerShell.evtx
            86 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
            82 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Key
                 Management Service.evtx
            80 : type: OS, location:
                 /opt/kaperesults/C/Windows/System32/winevt/logs/Microsoft-Windows-RestartManager%4Operational.evtx

No analysis reports stored.

root@remnux:/opt/kaperesults#

jkppr commented 11 months ago

Hi @denizciftci-sec,

in general the Plaso format version needs to be the same on both sides. So the format version of your ´.plaso´ file and the version supported in Timesketch. Using the same Plaso version as in Timesketch for processing your evidence should ensure compatibility.

You can get the Plaso version used by your deployed Timesketch instance by executing tsctl info on your server/in the container.

The last line in the error message of your screenshot above mentions the latest supported version of Plaso format as 20221023.