search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 352 forks source link

Improve Spotlight store.db parser #3609

Closed joachimmetz closed 3 years ago

joachimmetz commented 3 years ago

Warnings seen in the end-to-end tests on the dean-macbook Greendale test image.

******************************** Warning: 13154 ********************************
           Message : unable to read record page at offset: 0x00041000 with
                     error: Unsupported property table type: 0x00001009
      Parser chain : spotlight_storedb
Path specification : type: OS, location:
                     dean-macbook.E01
                   : type: EWF
                   : type: TSK_PARTITION, location: /p2, part index: 5, start
                     offset: 0x12c06000
                   : type: APFS_CONTAINER, location: /apfs1, volume index: 0
                   : type: APFS, identifier: 859631, location:
                     /Users/dean/Library/Caches/com.apple.helpd/index.spotlightV3/.store.db
--------------------------------------------------------------------------------
joachimmetz commented 3 years ago

0x00001009 seems to be used for an lz4 compressed page