search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.66k stars 327 forks source link

IndexError: list index out of range in _GetNormalizedPath #4890

Open N1ckelange opened 1 week ago

N1ckelange commented 1 week ago

Hello,

I upgraded plaso version to 20230308, I cannot parse an old windows citrix server disk image anymore (I'm not sure of the previous plaso version. about 6 month old):

2024-06-24 19:44:49,957 [INFO] (MainProcess) PID:7288 Determined artifact definitions path: /usr/share/artifacts Checking availability and versions of dependencies. [OPTIONAL] unable to determine version information for: flor [OK]

Source path : /mnt/hgfs/D/SystemC.001 Source type : storage media image Processing time : 00:00:00

Processing started. Traceback (most recent call last): File "/usr/bin/log2timeline.py", line 33, in sys.exit(load_entry_point('plaso==20240308', 'console_scripts', 'log2timeline')()) File "/usr/lib/python3/dist-packages/plaso/scripts/log2timeline.py", line 81, in Main tool.ExtractEventsFromSources() File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 754, in ExtractEventsFromSources processing_status = self._ProcessSource(session, storage_writer) File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 446, in _ProcessSource system_configurations = extraction_engine.PreprocessSource( File "/usr/lib/python3/dist-packages/plaso/engine/engine.py", line 345, in PreprocessSource preprocess_manager.PreprocessPluginsManager.RunPlugins( File "/usr/lib/python3/dist-packages/plaso/preprocessors/manager.py", line 351, in RunPlugins cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher) File "/usr/lib/python3/dist-packages/plaso/preprocessors/manager.py", line 224, in CollectFromWindowsRegistry preprocess_plugin.Collect(mediator, artifact_definition, searcher) File "/usr/lib/python3/dist-packages/plaso/preprocessors/interface.py", line 264, in Collect self._ParseKey(mediator, registry_key, value_name) File "/usr/lib/python3/dist-packages/plaso/preprocessors/windows.py", line 487, in _ParseKey mediator.AddWindowsEventLogProvider(windows_event_log_provider) File "/usr/lib/python3/dist-packages/plaso/preprocessors/mediator.py", line 149, in AddWindowsEventLogProvider self._windows_eventlog_providers_helper.NormalizeMessageFiles( File "/usr/lib/python3/dist-packages/plaso/helpers/windows/eventlog_providers.py", line 102, in NormalizeMessageFiles event_log_provider.event_message_files = [ File "/usr/lib/python3/dist-packages/plaso/helpers/windows/eventlog_providers.py", line 103, in self._GetNormalizedPath(path) File "/usr/lib/python3/dist-packages/plaso/helpers/windows/eventlog_providers.py", line 46, in _GetNormalizedPath elif not path_segments_lower[0] and path_segments_lower[1] in ( IndexError: list index out of range

The version of Plaso : 20240308

The operating system running plaso Ubuntu 22.04 in vmplayer

command line and arguments: log2timeline.py --vss-stores all -z Europe/Paris --partitions all --parsers "windefender_history,win7_slow,sqlite/windows_timeline" --storage-file testcitrix.plaso /mnt/hgfs/D/SystemC.001

joachimmetz commented 1 week ago

Interesting could you print/provide the path it is throwing the exception for? Also see https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html single process debug mode might help here to obtain it