Log2timeline dependency problem: libewf-python

[ricci3]

Hello All,

Just recently downloaded version of the log2timeline/plaso docker version. But when execute the log2timeline.py, the log2timeline.py shows the failure error of missing pyewf in my MacOS docker

While for the sift workstation .ova version, when I executed log2timeline.py, the dependency check shows that the elastic search module is missing.

So can someone please advise: 1) what should I do to resolve the missing pyewf problem? 2) while for ova version, how to rectify the missing elastic search module issue?

Thx

Ricci

[Onager]

How are you running the docker version? Are you building it yourself, or pulling from docker hub?

We don't maintain sift workstation, it looks like their issue tracker is here: https://github.com/sans-dfir/sift/issues

[Onager]

In fact, it looks like the sift folks already have a fix documented: https://github.com/sans-dfir/sift/issues/283

[rolinh]

FWIW, I also encounter the pyewf dependency missing when running version 20180630, from a freshly built docker image (Ubuntu 16:04, gift PPA installation), running log2timeline:

Checking availability and versions of dependencies.
[OPTIONAL]      missing: lzma.
[FAILURE]       missing: pyewf.

[DeKe42]

I'm experiencing the same thing in a fresh docker image.

I'm pretty sure the current libewf-python package in ppa:gift is incomplete. If I download it manually (or check with dpkg-query -L), it only contains documentation but no actual python module.

I'm referring to this file: https://launchpad.net/~gift/+archive/ubuntu/stable/+files/libewf-python_20140803-1ppa1~xenial_amd64.deb

[Onager]

Yep, this looks like a problem with that package. We'll roll a new one.

[joachimmetz]

so libewf_20140803-1ppa1~xenial_amd64.deb contains a shared object
libewf2_20140803-1ppa1~xenial_amd64.deb is a stub preventing Ubuntu to install and override libewf.so when not installed as libewf2.

and libewf-python_20140803-1ppa1~xenial_amd64.deb indeed is empty, where it should not be

[joachimmetz]

In fact, it looks like the sift folks already have a fix documented: sans-dfir/sift#283

Running log2timeline.py --no-dependencies-check -V is not a fix but a work-around. There is no indication of an actual fix in the sift issue tracker.

[joachimmetz]

New libewf release building on launchpad

[joachimmetz]

@ricci3 @DeKe42 @Rolinh could you try again and confirm that new libewf release works / does not work for you

[rolinh]

@joachimmetz I can confirm that it now works for me. Thanks for addressing this issue so quickly!

[ricci3]

silly me. Please advise if this solution is already able to work for the docker version? If not, is that I should try using full installation?

[joachimmetz]

Please advise if this solution is already able to work for the docker version?

How are you building your docker container? If you use the GIFT PPA then it should provide you with the new version.

[Onager]

@ricci3 I've just updated the image on docker hub, you should be good to go now.

[ricci3]

I didn't build mine. I just use docker pull log2timeline/plaso. may be I should try to pull again.

[ricci3]

It is working now. Thx. BTW, please let me know what has to be revised, so I also know how to fix that.

[Onager]

Looks like this resolved, closing out.