missing source path

[nocomp]

hi, dunno why , really struggling on this box to get log2time working, was a bad idea to update to ubuntu 19.04... here is the errr message i have, i ve installed with .deb packge

nocomp@RFB0x:~$ log2timeline.py veriot-all.plaso --data /media/nocomp/Systeme/ --artifact_definitions /home/nocomp/Documents/forensic/artifacts-20190320/data/
2019-12-21 18:08:16,108 [INFO] (MainProcess) PID:7021 <data_location> Determined data location: /media/nocomp/Systeme/
2019-12-21 18:08:16,126 [INFO] (MainProcess) PID:7021 <artifact_definitions> Determined artifact definitions path: /home/nocomp/Documents/forensic/artifacts-20190320/data/
ERROR: Missing source path.

what am i doing wrong????

thx for your help

[joachimmetz]

You need to specify what data (source) you want plaso to time line (process)

Also see: https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html

[nocomp]

when i do a basic run it s not working either

nocomp@RFB0x:~$ log2timeline.py veriot-all.plaso /media/nocomp/Systeme/
2019-12-21 18:21:27,396 [INFO] (MainProcess) PID:9559 <data_location> Determined data location: /usr/share/plaso
2019-12-21 18:21:27,415 [INFO] (MainProcess) PID:9559 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
ERROR: Unable to read artifact definitions from: /usr/share/artifacts with error: After: WindowsPendingFileRenames Invalid artifact definition: WindowsPersistenceMechanisms returned_types no longer supported.

files are all here :

nocomp@RFB0x:~$ ls /usr/share/artifacts/
antivirus.yaml          java.yaml              tomcat.yaml
applications.yaml       kaspersky_careto.yaml  unix_common.yaml
cloud_services.yaml     legacy.yaml            webbrowser.yaml
config_files.yaml       linux_proc.yaml        webservers.yaml
docker.yaml             linux.yaml             windows_dll_hijacking.yaml
hadoop.yaml             macos.yaml             windows.yaml
installed_modules.yaml  ntfs.yaml              wmi.yaml
nocomp@RFB0x:~$ 

first time having issues, it s a pain thxx for your tme, truelly appreciate

[joachimmetz]

ERROR: Unable to read artifact definitions from: /usr/share/artifacts with error: After: WindowsPendingFileRenames Invalid artifact definition: WindowsPersistenceMechanisms returned_types no longer supported.

This is telling you that your version of forensics artifacts is too old.

first time having issues, it s a pain

That's because you're deviating from the supported platforms and making your life harder. I recommend you to use Ubuntu 18.04 (you can boot if from a live CD/DVD)

[nocomp]

hi, this is weird it s too old cause i ve downloadd the latest available here https://github.com/ForensicArtifacts/artifacts/releases/tag/20190320

is it possible to install or update with a different source?

thx fr your time

[nocomp]

is it possible to find the windows version somwhere with precompiled binaires? can t find any :/

[joachimmetz]

this is weird it s too old cause i ve downloadd the latest available here

returned_types was removed in February https://github.com/ForensicArtifacts/artifacts/commit/ec1c547515216bedf629f26aef6f66900ea4e4ab

you might have multiple versions installed on your system

is it possible to find the windows version somwhere with precompiled binaires?

I strongly encourage you to read the documentation https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html

[nocomp]

Yep i know this link but there are no .exe for download, link gives 404. I dont have multiple version, just did a fresh install. Tried to find the .exe somewhere bit no luck..

[joachimmetz]

You have to calm down and start to speak full sentences. I have no idea what you are telling me with: "Yep i know this link but there are no .exe for download, link gives 404."

The documentation https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html clearly states ZIP file not EXE file.

I get the strong impression that your rushing yourself and therefore making the situation only worse for yourself. If you cannot be bothered to give this the necessary attention, this will go nowhere.

If you telling me you ar are unable to find the Window Packaged release have a look at Have a look at these files https://github.com/log2timeline/plaso/releases/tag/20190916

[nocomp]

Hi, Sorry for my short replies, tryin to manage my sick daughter in smae time than tryin to get this plaso fine i need done. My apologies johachim. Can t believe you have a link with exe files. Been reading many tutorials and github link given was 404. And been hunting for these 9n github, all the release had 4 assets and no windows files. Thxx a lot, will try that tomorrow and let you know. Thx for your time. Best regards

[joachimmetz]

@nocomp shall I close this issue?

[nocomp]

Hi, yes pls do so, thx for your time.