search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 352 forks source link

Issue running tool using SIFT #4106

Closed cipherz404 closed 2 years ago

cipherz404 commented 2 years ago

When I try to run the tool against an E01, I get errors.

Please describe the problem in as much detail as possible. I would like the tool to process the E01 file so that I can examine the evidence.

Command line and arguments:

  1. log2timeline.py --storage-file timeline222.plaso 4dell.E01

Then I try other commands

  1. psteal.py --source 4dell.E01 -w /tmp/registnist4.csv

Source data:

The data I am using is a local copy of an E01 file.

Plaso version:

plaso - log2timeline version 20220428

Operating system Plaso is running on:

5.4.0-109-generic (SIFT workstation)

Not the operating system of the image/files you're trying to analyze.

Comes with SIFT. I only apt-get update && apt-get upgrade

Debug output/tracebacks: 2022-05-08 15:11:49,618 [INFO] (MainProcess) PID:4230 Determined data location: /usr/share/plaso 2022-05-08 15:11:49,625 [INFO] (MainProcess) PID:4230 Determined artifact definitions path: /usr/share/artifacts ERROR: Missing source path.

Traceback (most recent call last): File "/usr/bin/log2timeline.py", line 99, in if not Main(): File "/usr/bin/log2timeline.py", line 73, in Main tool.ExtractEventsFromSources() File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 690, in ExtractEventsFromSources self.ScanSource(self._source_path) File "/usr/lib/python3/dist-packages/plaso/cli/storage_media_tool.py", line 642, in ScanSource base_path_specs = volume_scanner_object.GetBasePathSpecs( File "/usr/lib/python3/dist-packages/dfvfs/helpers/volume_scanner.py", line 675, in GetBasePathSpecs scan_context = self._ScanSource(source_path) File "/usr/lib/python3/dist-packages/dfvfs/helpers/volume_scanner.py", line 541, in _ScanSource self._source_scanner.Scan(scan_context) File "/usr/lib/python3/dist-packages/dfvfs/helpers/source_scanner.py", line 670, in Scan self._ScanNode(scan_context, scan_node, auto_recurse=auto_recurse) File "/usr/lib/python3/dist-packages/dfvfs/helpers/source_scanner.py", line 481, in _ScanNode source_path_spec = self.ScanForVolumeSystem(scan_node.path_spec) File "/usr/lib/python3/dist-packages/dfvfs/helpers/source_scanner.py", line 818, in ScanForVolumeSystem type_indicators = analyzer.Analyzer.GetVolumeSystemTypeIndicators( File "/usr/lib/python3/dist-packages/dfvfs/analyzer/analyzer.py", line 357, in GetVolumeSystemTypeIndicators type_indicators = cls._GetTypeIndicators( File "/usr/lib/python3/dist-packages/dfvfs/analyzer/analyzer.py", line 180, in _GetTypeIndicators file_object = resolver.Resolver.OpenFileObject( File "/usr/lib/python3/dist-packages/dfvfs/resolver/resolver.py", line 107, in OpenFileObject file_object.Open() File "/usr/lib/python3/dist-packages/dfvfs/file_io/file_io.py", line 89, in Open self._Open(mode=mode) File "/usr/lib/python3/dist-packages/dfvfs/file_io/file_object_io.py", line 43, in _Open self._file_object = self._OpenFileObject(self._path_spec) File "/usr/lib/python3/dist-packages/dfvfs/file_io/ewf_file_io.py", line 51, in _OpenFileObject segment_file_paths = pyewf.glob(parent_location) MemoryError: pyewf_glob: unable to free globbed filenames. libewf_glob_free: invalid filenames.

joachimmetz commented 2 years ago

@cipherz404 we don't maintain SIFT (see: https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html), please reach out to the SIFT project. Check if you have a stable version of libewf/pyewf installed.