bash_history parser not finding any events

[Mips128]

Hi,

I have come across a wired behaviour of plaso or being more precious the bash_history parser.

My Setup: • Running plaso inside docker using plaso - log2timeline version 20220724 (official image) • I am running this on a EWF file that contains one partition

I processed several linux images with the linux preset. Various data_types / events were detected and stored in the plaso file but no bash_history events, even though none empty bash_history files exist. I have run this on the test cases 1 and 2 of https://github.com/ashemery/LinuxForensics/tree/master/Workshops as well.

I also ran log2timleine with the following command – only activating the bash_history parser: /usr/bin/log2timeline.py --parsers bash_history --storage_file bash.plaso WebserverBreach_root.E01 The output of pinfo for this file is:

            Filename : bash.plaso
      Format version : 20220716
Serialization format : json
--------------------------------------------------------------------------------

*********************************** Sessions ***********************************
e83a5bbd-70f6-47e1-92d8-73c8227b2e62 : 2022-09-01T18:56:12.005150+00:00
--------------------------------------------------------------------------------

******************************** Event sources *********************************
Total : 90812
--------------------------------------------------------------------------------

No events stored.

No events labels stored.

No warnings stored.

No analysis reports stored.

Running pyinfo -v verifies that the several bash history files, that are not empty, were found.

Am I making a mistake or is this a bug? Thank you for any kind of support.

Dennis

[joachimmetz]

Am I making a mistake or is this a bug? Thank you for any kind of support.

what is the format of these bash history files? with or without a timestamp? See: https://github.com/log2timeline/plaso/blob/main/plaso/parsers/bash_history.py#L42 for expected format

[Mips128]

The bash_history is a standard bash_history file without timestamps. I have pasted one below. If I understand the python code correctly, the module only parses history files that contain a timestamp per line... Is this correct?

poweroff
whoami
id
pwd
vim /etc/passwd
ll
vim flag.txt 
cat .psql_history 
cd /var/www/html/
ll
cd jabc
ll
cat .htaccess 
ll
vim scripts/update.php
ls -lh scripts/
w
logout 
vim /var/log/lastlog 
logout 
passwd php 
logout 
cd /tmp/
ll
rm 37292.c 
cd
ls -lha
ls .cache/
cat .cache/motd.legal-displayed 
logout 

[joachimmetz]

If I understand the python code correctly, the module only parses history files that contain a timestamp per line... Is this correct?

that is correct, since Plaso is a time-lining tool it intended to work on "events" (with a time indication). There are ideas to support "timeless events" or "time ranges" but that comes with some conceptual challenges. For more context https://osdfir.blogspot.com/2021/10/pearls-and-pitfalls-of-timeline-analysis.html

[Mips128]

Thanks for the answer. I hopeed that either the timestamp of the parent element would be used or no timestamp would be assigned to the event. The reason for this is that we export all plaso events to timesketch or ELK for further analysis. Depending on the case, we try to narrow down the time of bash commands based on other events in the timeline...

[joachimmetz]

I would argue this falls into the category of "Law of the instrument" from the blog post.

In your perspective how should this look like in the time line? What should the parent element be? What timestamp? What does that event represent?

[joachimmetz]

seeing no follow up, I'll consider this question answered.