search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.7k stars 334 forks source link

Unable to run against split E01 image files #41

Closed CdtDelta closed 9 years ago

CdtDelta commented 9 years ago

Using the latest update from the git repo (as of 11/20/2014 6:14pm UTC):

user@server:/mnt/cases/test_evidence$ log2timeline.py -o 2048 test_image_20141119.dump KINGSTON\ SV300S37A120G.E01
Traceback (most recent call last):
  File "/usr/local/bin/log2timeline.py", line 5, in <module>
    pkg_resources.run_script('plaso==1.1.1-20141119', 'log2timeline.py')
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1401, in run_script
    exec(script_code, namespace, namespace)
  File "/usr/local/lib/python2.7/dist-packages/plaso-1.1.1_20141119-py2.7.egg/EGG-INFO/scripts/log2timeline.py", line 428, in <module>

  File "/usr/local/lib/python2.7/dist-packages/plaso-1.1.1_20141119-py2.7.egg/EGG-INFO/scripts/log2timeline.py", line 418, in Main

  File "build/bdist.linux-x86_64/egg/plaso/frontend/frontend.py", line 1603, in ProcessSource
  File "build/bdist.linux-x86_64/egg/plaso/frontend/frontend.py", line 681, in ProcessSource
  File "build/bdist.linux-x86_64/egg/plaso/frontend/frontend.py", line 765, in ScanSource
  File "build/bdist.linux-x86_64/egg/dfvfs/helpers/source_scanner.py", line 407, in Scan
  File "build/bdist.linux-x86_64/egg/dfvfs/helpers/source_scanner.py", line 274, in _ScanNode
  File "build/bdist.linux-x86_64/egg/dfvfs/helpers/source_scanner.py", line 514, in ScanForVolumeSystem
  File "build/bdist.linux-x86_64/egg/dfvfs/analyzer/analyzer.py", line 211, in GetVolumeSystemTypeIndicators
  File "build/bdist.linux-x86_64/egg/dfvfs/analyzer/analyzer.py", line 102, in _GetTypeIndicators
  File "build/bdist.linux-x86_64/egg/dfvfs/resolver/resolver.py", line 106, in OpenFileObject
  File "build/bdist.linux-x86_64/egg/dfvfs/resolver/ewf_resolver_helper.py", line 45, in OpenFileObject
  File "build/bdist.linux-x86_64/egg/dfvfs/file_io/file_object_io.py", line 85, in open
  File "build/bdist.linux-x86_64/egg/dfvfs/file_io/ewf_file_io.py", line 69, in _OpenFileObject
IOError: pyewf_handle_open_file_objects: unable to open file. libewf_segment_table_append_segment_by_segment_file: invalid segment table. libewf_handle_open_file_io_pool: unable to append segment: 1 to segment table.

If I mount the E01 ahead of time with ewfmount, and then run log2timeline against that mount point, the program runs fine. This particular test image has four E0# segments.

joachimmetz commented 9 years ago

So the git version of libewf is still very experimental, I suggest that you use the source stable version found here: https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/. And if you're not using the git version of libewf let me know.

joachimmetz commented 9 years ago

Seeing no reply assume it was the experimental version, closing issue since it will be fixed when I have the time to work on the libewf experimental version.