SIFT: no such parser presets file: /usr/share/plaso/presets.yaml

[dougkoster]

I have a fresh SIFT VM running on 16.04. I installed Plaso using the following commands:

sudo apt-get update sudo apt-get install python-plaso plaso-tools

My install appeared to be successful.

log2timeline.py -V

plaso - log2timeline version 20190131

When I try and do a test run I get an error message about a missing yaml file: root@siftworkstation -> /u/s/pytan

log2timeline.py /tmp/plaso_test.dump /mnt/hgfs/D_DRIVE/Test\ Images/xp\ dblake.dd

2019-02-15 17:45:39,851 [INFO] (MainProcess) PID:23109 Determined data location: /usr/share/plaso ERROR: No such parser presets file: /usr/share/plaso/presets.yaml.

I looked at the files on GitHub and didn't see the file presets.yaml.

[s4parke]

+1 -- Steps to reproduce:

1. Install latest apt package (Ubuntu 16.04 / SIFT Workstation) $ sudo apt-get update && sudo apt-get install plaso-tools

2. Run command with no args $ log2timeline.py 2019-02-15 23:45:39,851 [INFO] (MainProcess) PID: ... location: /usr/share/plaso ERROR: No such parser presets file: /usr/share/plaso/presets.yaml

Workaround: Copy the file /master/test_data/presets.yaml to /usr/share/plaso/.

[joachimmetz]

I'm unable to reproduce this when I install plaso from the GIFT PPA (stable track) on a 16.04 amd64 live CD (without SIFT). A /usr/share/plaso/preset.yaml file is created on the test install.

@dougkoster @s4parke Can you check if the plaso-data package is installed.

[joachimmetz]

I looked at the files on GitHub and didn't see the file presets.yaml.

presets.yaml can be found under data https://github.com/log2timeline/plaso/tree/master/data

[dougkoster]

Thanks...that fixed the issue.

[s4parke]

@joachimmetz :

I'm unable to reproduce this when I install plaso from the GIFT PPA (stable track) on a 16.04 amd64 live CD (without SIFT)

I can only produce this error on the SIFT Workstation virtual machine downloaded from the SANS website (download link). I do not see the error if I install SIFT-CLI on a clean Ubuntu 16.04 Amazon EC2 machine.

Can you check if the plaso-data package is installed.

Yes, at least one version of plaso-data is installed on the SIFT-workstation Virtualbox VM:

I decided to use SIFT-CLI on Ubuntu instead of the SIFT-workstation VM. :)

[joachimmetz]

A reason I could think of is that the old version of plaso-data is (gets) installed on SIFT and is not updated.

What I can do for future releases is pin the version of the data package in the dpkg configuration.

[joachimmetz]

I can only produce this error on the SIFT Workstation virtual machine downloaded from the SANS website (download link).

Unfortunately the ova is not accessible without log-in so I cannot confirm how this VM is configured.

[dougkoster]

I was working from the .ova image.

---

From: Joachim Metz notifications@github.com Sent: Sunday, February 17, 2019 3:06 AM To: log2timeline/plaso Cc: dougkoster; Mention Subject: Re: [log2timeline/plaso] SIFT: no such parser presets file: /usr/share/plaso/presets.yaml (#2350)

I can only produce this error on the SIFT Workstation virtual machine downloaded from the SANS website (download link)https://digital-forensics.sans.org/community/downloads.

Unfortunately the ova is not accessible without log-in so I cannot confirm how this VM is configured.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/log2timeline/plaso/issues/2350#issuecomment-464427241, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG1VvSeGW5x_DrS_YiaH9DAMCYcNzf6nks5vOQ1wgaJpZM4a-LAn.

[joachimmetz]

Made changes https://github.com/log2timeline/plaso/pull/2396 and https://github.com/log2timeline/plaso/pull/2399 to enforce version dependencies of the data files. Closing this issue.