search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 352 forks source link

log2timeline.py: Backtrace processing a Mac Image #51

Closed gregfreemyer closed 9 years ago

gregfreemyer commented 9 years ago

This is a 500GB image from a recent generation Mac Book Pro running Mavericks.

Processing the image continues, so this s a minor issue. Nothing in the backtrace seems related to log2timeline, so I I wonder if something stomped on memory it should not have? (Can that happen in python?)

Standard invocation:

log2tim\eline.py -d --logfile plaso-debug.log --workers 4 --offset 409640 plasodb /mnt-ewf/ewf1

Source path                             : /mnt-ewf/ewf1
Is storage media image or device        : True
Partition offset                        : 209735680 (0x0c805000)

*** Error in `/usr/bin/python': free(): invalid pointer: 0x0000000003aecd90 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x730bf)[0x7fe8739dc0bf]
/lib64/libc.so.6(+0x7892e)[0x7fe8739e192e]
/usr/lib64/libtsk.so.10(hfs_file_read_special+0x615)[0x7fe86c7c7045]
/usr/lib64/python2.7/site-packages/pytsk3.so(+0x1a2b9)[0x7fe86caa82b9]
/usr/lib64/python2.7/site-packages/pytsk3.so(+0xb4ec)[0x7fe86ca994ec]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x1295)[0x7fe873ff63e5]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7fe873ffc061]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7fe873ffc061]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7fe873ffc061]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7fe873ffc33e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7fe873ffc33e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7fe873ffc061]
/usr/lib64/libpython2.7.so.1.0(+0xb24db)[0x7fe873fe04db]
/usr/lib64/libpython2.7.so.1.0(PyObject_Call+0x46)[0x7fe873fdb6f6]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2227)[0x7fe873ff7377]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7fe873ffc061]
/usr/lib64/libpython2.7.so.1.0(+0xb225f)[0x7fe873fe025f]
/usr/lib64/libpython2.7.so.1.0(PyObject_Call+0x46)[0x7fe873fdb6f6]
/usr/lib64/libpython2.7.so.1.0(+0xae5da)[0x7fe873fdc5da]
/usr/lib64/libpython2.7.so.1.0(PyObject_Call+0x46)[0x7fe873fdb6f6]
/usr/lib64/libpython2.7.so.1.0(+0xbe839)[0x7fe873fec839]
/usr/lib64/libpython2.7.so.1.0(+0xbde6a)[0x7fe873febe6a]
/usr/lib64/libpython2.7.so.1.0(PyObject_Call+0x46)[0x7fe873fdb6f6]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x1481)[0x7fe873ff65d1]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7fe873ffc33e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7fe873ff5dc4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7fe873ff7b5e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7fe873ffc33e]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7fe874029142]
/usr/lib64/libpython2.7.so.1.0(+0x1078ad)[0x7fe8740358ad]
/usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7fe873fc36ad]
/usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x308)[0x7fe873fc4294]
/usr/lib64/libpython2.7.so.1.0(Py_Main+0xc60)[0x7fe873fcbe63]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fe87398ab05]
/usr/bin/python[0x40078e]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:03 1856928                            /usr/bin/python2.7
00600000-00601000 r--p 00000000 08:03 1856928                            /usr/bin/python2.7
00601000-00602000 rw-p 00001000 08:03 1856928                            /usr/bin/python2.7
024a3000-030ff000 rw-p 00000000 00:00 0                                  [heap]
030ff000-03ba2000 rw-p 00000000 00:00 0                                  [heap]
7fe8638d2000-7fe863ad3000 rw-p 00000000 00:00 0 
7fe863ad3000-7fe863ad4000 ---p 00000000 00:00 0 
7fe863ad4000-7fe864396000 rw-p 00000000 00:00 0                          [stack:20887]
7fe864396000-7fe864397000 ---p 00000000 00:00 0 
7fe864397000-7fe864b97000 rw-p 00000000 00:00 0                          [stack:20880]
7fe864b97000-7fe864ba2000 r-xp 00000000 08:03 1048619                    /lib64/libnss_files-2.19.so
7fe864ba2000-7fe864da1000 ---p 0000b000 08:03 1048619                    /lib64/libnss_files-2.19.so
7fe864da1000-7fe864da2000 r--p 0000a000 08:03 1048619                    /lib64/libnss_files-2.19.so
7fe864da2000-7fe864da3000 rw-p 0000b000 08:03 1048619                    /lib64/libnss_files-2.19.so
7fe864da3000-7fe864f66000 rw-p 00000000 00:00 0 
7fe864f66000-7fe864f67000 r-xp 00000000 08:03 1836266                    /usr/lib64/python2.7/site-packages/_psutil_posix.so
7fe864f67000-7fe865166000 ---p 00001000 08:03 1836266                    /usr/lib64/python2.7/site-packages/_psutil_posix.so
7fe865166000-7fe865167000 r--p 00000000 08:03 1836266                    /usr/lib64/python2.7/site-packages/_psutil_posix.so
7fe865167000-7fe865168000 rw-p 00001000 08:03 1836266                    /usr/lib64/python2.7/site-packages/_psutil_posix.so
7fe865168000-7fe86516a000 r-xp 00000000 08:03 1836071                    /usr/lib64/python2.7/site-packages/_psutil_linux.so
7fe86516a000-7fe86536a000 ---p 00002000 08:03 1836071                    /usr/lib64/python2.7/site-packages/_psutil_linux.so
7fe86536a000-7fe86536b000 r--p 00002000 08:03 1836071                    /usr/lib64/python2.7/site-packages/_psutil_linux.so
7fe86536b000-7fe86536c000 rw-p 00003000 08:03 1836071                    /usr/lib64/python2.7/site-packages/_psutil_linux.so
7fe86536c000-7fe86552c000 rw-p 00000000 00:00 0 
7fe86552c000-7fe86554b000 r-xp 00000000 08:03 1837043                    /usr/lib64/libyaml-0.so.2.0.4
7fe86554b000-7fe86574a000 ---p 0001f000 08:03 1837043                    /usr/lib64/libyaml-0.so.2.0.4
7fe86574a000-7fe86574b000 r--p 0001e000 08:03 1837043                    /usr/lib64/libyaml-0.so.2.0.4
7fe86574b000-7fe86574c000 rw-p 0001f000 08:03 1837043                    /usr/lib64/libyaml-0.so.2.0.4
7fe86574c000-7fe865776000 r-xp 00000000 08:03 1864150                    /usr/lib64/python2.7/site-packages/_yaml.so
7fe865776000-7fe865975000 ---p 0002a000 08:03 1864150                    /usr/lib64/python2.7/site-packages/_yaml.so
7fe865975000-7fe865976000 r--p 00029000 08:03 1864150                    /usr/lib64/python2.7/site-packages/_yaml.so
7fe865976000-7fe86597a000 rw-p 0002a000 08:03 1864150                    /usr/lib64/python2.7/site-packages/_yaml.so
7fe86597a000-7fe865afa000 rw-p 00000000 00:00 0 
7fe865afa000-7fe865b02000 r-xp 00000000 08:03 1857936                    /usr/lib64/python2.7/lib-dynload/_json.so
7fe865b02000-7fe865d01000 ---p 00008000 08:03 1857936                    /usr/lib64/python2.7/lib-dynload/_json.so
7fe865d01000-7fe865d02000 r--p 00007000 08:03 1857936                    /usr/lib64/python2.7/lib-dynload/_json.so
7fe865d02000-7fe865d03000 rw-p 00008000 08:03 1857936                    /usr/lib64/python2.7/lib-dynload/_json.so
7fe865d03000-7fe865d83000 rw-p 00000000 00:00 0 
7fe865d83000-7fe865dc1000 r-xp 00000000 08:03 1856854                    /usr/lib64/libregf.so.1.0.0
7fe865dc1000-7fe865fc0000 ---p 0003e000 08:03 1856854                    /usr/lib64/libregf.so.1.0.0
7fe865fc0000-7fe865fc1000 r--p 0003d000 08:03 1856854                    /usr/lib64/libregf.so.1.0.0
7fe865fc1000-7fe865fc2000 rw-p 0003e000 08:03 1856854                    /usr/lib64/libregf.so.1.0.0
7fe865fc2000-7fe865fd4000 r-xp 00000000 08:03 1853546                    /usr/lib64/python2.7/site-packages/pyregf.so
7fe865fd4000-7fe8661d3000 ---p 00012000 08:03 1853546                    /usr/lib64/python2.7/site-packages/pyregf.so
7fe8661d3000-7fe8661d4000 r--p 00011000 08:03 1853546                    /usr/lib64/python2.7/site-packages/pyregf.so
7fe8661d4000-7fe8661d6000 rw-p 00012000 08:03 1853546                    /usr/lib64/python2.7/site-packages/pyregf.so
7fe8661d6000-7fe866216000 rw-p 00000000 00:00 0 
7fe866216000-7fe8662b2000 r-xp 00000000 08:03 1839203                    /usr/lib64/libevtx.so.1.0.0
7fe8662b2000-7fe8664b2000 ---p 0009c000 08:03 1839203                    /usr/lib64/libevtx.so.1.0.0
7fe8664b2000-7fe8664b3000 r--p 0009c000 08:03 1839203                    /usr/lib64/libevtx.so.1.0.0
7fe8664b3000-7fe8664b7000 rw-p 0009d000 08:03 1839203                    /usr/lib64/libevtx.so.1.0.0
7fe8664b7000-7fe8664c9000 r-xp 00000000 08:03 1840124                    /usr/lib64/python2.7/site-packages/pyevtx.so
7fe8664c9000-7fe8666c8000 ---p 00012000 08:03 1840124                    /usr/lib64/python2.7/site-packages/pyevtx.so
7fe8666c8000-7fe8666c9000 r--p 00011000 08:03 1840124                    /usr/lib64/python2.7/site-packages/pyevtx.so
7fe8666c9000-7fe8666cb000 rw-p 00012000 08:03 1840124                    /usr/lib64/python2.7/site-packages/pyevtx.so
7fe8666cb000-7fe866721000 r-xp 00000000 08:03 1843519                    /usr/lib64/libevt.so.1.0.0
7fe866721000-7fe866920000 ---p 00056000 08:03 1843519                    /usr/lib64/libevt.so.1.0.0
7fe866920000-7fe866921000 r--p 00055000 08:03 1843519                    /usr/lib64/libevt.so.1.0.0
7fe866921000-7fe866924000 rw-p 00056000 08:03 1843519                    /usr/lib64/libevt.so.1.0.0
7fe866924000-7fe866936000 r-xp 00000000 08:03 1852398                    /usr/lib64/python2.7/site-packages/pyevt.so
7fe866936000-7fe866b36000 ---p 00012000 08:03 1852398                    /usr/lib64/python2.7/site-packages/pyevt.so
7fe866b36000-7fe866b37000 r--p 00012000 08:03 1852398                    /usr/lib64/python2.7/site-packages/pyevt.so
7fe866b37000-7fe866b39000 rw-p 00013000 08:03 1852398                    /usr/lib64/python2.7/site-packages/pyevt.so
7fe866b39000-7fe866bf6000 r-xp 00000000 08:03 1838171                    /usr/lib64/libsqlite3.so.0.8.6
7fe866bf6000-7fe866df6000 ---p 000bd000 08:03 1838171                    /usr/lib64/libsqlite3.so.0.8.6
7fe866df6000-7fe866df8000 r--p 000bd000 08:03 1838171                    /usr/lib64/libsqlite3.so.0.8.6
7fe866df8000-7fe866dfb000 rw-p 000bf000 08:03 1838171                    /usr/lib64/libsqlite3.so.0.8.6
7fe866dfb000-7fe866e0d000 r-xp 00000000 08:03 1877975                    /usr/lib64/python2.7/lib-dynload/_sqlite3.so
7fe866e0d000-7fe86700c000 ---p 00012000 08:03 1877975                    /usr/lib64/python2.7/lib-dynload/_sqlite3.so
7fe86700c000-7fe86700d000 r--p 00011000 08:03 1877975                    /usr/lib64/python2.7/lib-dynload/_sqlite3.so
7fe86700d000-7fe86700f000 rw-p 00012000 08:03 1877975                    /usr/lib64/python2.7/lib-dynload/_sqlite3.so
7fe86700f000-7fe867050000 rw-p 00000000 00:00 0 
7fe867050000-7fe867080000 r-xp 00000000 08:03 1863397                    /usr/lib64/python2.7/lib-dynload/pyexpat.so
7fe867080000-7fe86727f000 ---p 00030000 08:03 1863397                    /usr/lib64/python2.7/lib-dynload/pyexpat.so
7fe86727f000-7fe867282000 r--p 0002f000 08:03 1863397                    /usr/lib64/python2.7/lib-dynload/pyexpat.so
7fe867282000-7fe867284000 rw-p 00032000 08:03 1863397                    /usr/lib64/python2.7/lib-dynload/pyexpat.so
7fe867284000-7fe86728d000 r-xp 00000000 08:03 1859531                    /usr/lib64/python2.7/lib-dynload/array.so
7fe86728d000-7fe86748c000 ---p 00009000 08:03 1859531                    /usr/lib64/python2.7/lib-dynload/array.so
7fe86748c000-7fe86748d000 r--p 00008000 08:03 1859531                    /usr/lib64/python2.7/lib-dynload/array.so
7fe86748d000-7fe86748f000 rw-p 00009000 08:03 1859531                    /usr/lib64/python2.7/lib-dynload/array.so
7fe86748f000-7fe8674e7000 r-xp 00000000 08:03 1839081                    /usr/lib64/libolecf.so.1.0.0
7fe8674e7000-7fe8676e7000 ---p 00058000 08:03 1839081                    /usr/lib64/libolecf.so.1.0.0
7fe8676e7000-7fe8676e8000 r--p 00058000 08:03 1839081                    /usr/lib64/libolecf.so.1.0.0
7fe8676e8000-7fe8676e9000 rw-p 00059000 08:03 1839081                    /usr/lib64/libolecf.so.1.0.0
7fe8676e9000-7fe867714000 r-xp 00000000 08:03 1853569                    /usr/lib64/python2.7/site-packages/pyolecf.so
7fe867714000-7fe867913000 ---p 0002b000 08:03 1853569                    /usr/lib64/python2.7/site-packages/pyolecf.so
7fe867913000-7fe867914000 r--p 0002a000 08:03 1853569                    /usr/lib64/python2.7/site-packages/pyolecf.so
7fe867914000-7fe867917000 rw-p 0002b000 08:03 1853569                    /usr/lib64/python2.7/site-packages/pyolecf.so
7fe867917000-7fe86794a000 r-xp 00000000 08:03 1835360                    /usr/lib64/libmsiecf.so.1.0.0
7fe86794a000-7fe867b4a000 ---p 00033000 08:03 1835360                    /usr/lib64/libmsiecf.so.1.0.0
7fe867b4a000-7fe867b4b000 r--p 00033000 08:03 1835360                    /usr/lib64/libmsiecf.so.1.0.0
7fe867b4b000-7fe867b4c000 rw-p 00034000 08:03 1835360                    /usr/lib64/libmsiecf.so.1.0.0
7fe867b4c000-7fe867b5f000 r-xp 00000000 08:03 1853572                    /usr/lib64/python2.7/site-packages/pymsiecf.so
7fe867b5f000-7fe867d5e000 ---p 00013000 08:03 1853572                    /usr/lib64/python2.7/site-packages/pymsiecf.so
7fe867d5e000-7fe867d5f000 r--p 00012000 08:03 1853572                    /usr/lib64/python2.7/site-packages/pymsiecf.so
7fe867d5f000-7fe867d61000 rw-p 00013000 08:03 1853572                    /usr/lib64/python2.7/site-packages/pymsiecf.so
7fe867d61000-7fe867d67000 r-xp 00000000 08:03 1857909                    /usr/lib64/python2.7/lib-dynload/_csv.so
7fe867d67000-7fe867f66000 ---p 00006000 08:03 1857909                    /usr/lib64/python2.7/lib-dynload/_csv.so
7fe867f66000-7fe867f67000 r--p 00005000 08:03 1857909                    /usr/lib64/python2.7/lib-dynload/_csv.so
7fe867f67000-7fe867f69000 rw-p 00006000 08:03 1857909                    /usr/lib64/python2.7/lib-dynload/_csv.so
7fe867f69000-7fe86878b000 rw-p 00000000 00:00 0 
7fe86878b000-7fe8688bb000 r--p 00000000 08:03 1837781                    /usr/lib/locale/en_US.utf8/LC_COLLATE
7fe8688bb000-7fe86897b000 rw-p 00000000 00:00 0 
7fe86897b000-7fe8689ec000 r-xp 00000000 08:03 1864015                    /usr/lib64/libesedb.so.1.0.0
7fe8689ec000-7fe868bec000 ---p 00071000 08:03 1864015                    /usr/lib64/libesedb.so.1.0.0
7fe868bec000-7fe868bed000 r--p 00071000 08:03 1864015                    /usr/lib64/libesedb.so.1.0.0
7fe868bed000-7fe868bf1000 rw-p 00072000 08:03 1864015                    /usr/lib64/libesedb.so.1.0.0
7fe868bf1000-7fe868c0a000 r-xp 00000000 08:03 1839061                    /usr/lib64/python2.7/site-packages/pyesedb.so
7fe868c0a000-7fe868e09000 ---p 00019000 08:03 1839061                    /usr/lib64/python2.7/site-packages/pyesedb.so
7fe868e09000-7fe868e0a000 r--p 00018000 08:03 1839061                    /usr/lib64/python2.7/site-packages/pyesedb.so
7fe868e0a000-7fe868e0d000 rw-p 00019000 08:03 1839061                    /usr/lib64/python2.7/site-packages/pyesedb.so
7fe868e0d000-7fe868ee1000 r-xp 00000000 08:03 1842130                    /usr/lib64/libfwsi.so.1.0.0
7fe868ee1000-7fe8690e0000 ---p 000d4000 08:03 1842130                    /usr/lib64/libfwsi.so.1.0.0
7fe8690e0000-7fe8690e2000 r--p 000d3000 08:03 1842130                    /usr/lib64/libfwsi.so.1.0.0
7fe8690e2000-7fe8690e4000 rw-p 000d5000 08:03 1842130                    /usr/lib64/libfwsi.so.1.0.0
7fe8690e4000-7fe8691a2000 r-xp 00000000 08:03 1842127                    /usr/lib64/python2.7/site-packages/pyfwsi.so
7fe8691a2000-7fe8693a1000 ---p 000be000 08:03 1842127                    /usr/lib64/python2.7/site-packages/pyfwsi.so
7fe8693a1000-7fe8693a3000 r--p 000bd000 08:03 1842127                    /usr/lib64/python2.7/site-packages/pyfwsi.so
7fe8693a3000-7fe8693a6000 rw-p 000bf000 08:03 1842127                    /usr/lib64/python2.7/site-packages/pyfwsi.so
7fe8693a6000-7fe8693d5000 r-xp 00000000 08:03 1837104                    /usr/lib64/liblnk.so.1.0.0
7fe8693d5000-7fe8695d4000 ---p 0002f000 08:03 1837104                    /usr/lib64/liblnk.so.1.0.0
7fe8695d4000-7fe8695d5000 r--p 0002e000 08:03 1837104                    /usr/lib64/liblnk.so.1.0.0
7fe8695d5000-7fe8695d7000 rw-p 0002f000 08:03 1837104                    /usr/lib64/liblnk.so.1.0.0
7fe8695d7000-7fe8695e8000 r-xp 00000000 08:03 1842135                    /usr/lib64/python2.7/site-packages/pylnk.so
7fe8695e8000-7fe8697e7000 ---p 00011000 08:03 1842135                    /usr/lib64/python2.7/site-packages/pylnk.so
7fe8697e7000-7fe8697e8000 r--p 00010000 08:03 1842135                    /usr/lib64/python2.7/site-packages/pylnk.so
7fe8697e8000-7fe8697ea000 rw-p 00011000 08:03 1842135                    /usr/lib64/python2.7/site-packages/pylnk.so
7fe8697ea000-7fe86986a000 rw-p 00000000 00:00 0 
7fe86986a000-7fe86986c000 r-xp 00000000 08:03 1857882                    /usr/lib64/python2.7/lib-dynload/_bisect.so
7fe86986c000-7fe869a6b000 ---p 00002000 08:03 1857882                    /usr/lib64/python2.7/lib-dynload/_bisect.so
7fe869a6b000-7fe869a6c000 r--p 00001000 08:03 1857882                    /usr/lib64/python2.7/lib-dynload/_bisect.so
7fe869a6c000-7fe869a6d000 rw-p 00002000 08:03 1857882                    /usr/lib64/python2.7/lib-dynload/_bisect.so
7fe869a6d000-7fe869aad000 rw-p 00000000 00:00 0 
7fe869aad000-7fe869ab8000 r-xp 00000000 08:03 1860654                    /usr/lib64/python2.7/lib-dynload/parser.so
7fe869ab8000-7fe869cb7000 ---p 0000b000 08:03 1860654                    /usr/lib64/python2.7/lib-dynload/parser.so
7fe869cb7000-7fe869cb8000 r--p 0000a000 08:03 1860654                    /usr/lib64/python2.7/lib-dynload/parser.so
7fe869cb8000-7fe869cb9000 rw-p 0000b000 08:03 1860654                    /usr/lib64/python2.7/lib-dynload/parser.so
7fe869cb9000-7fe869cf9000 rw-p 00000000 00:00 0 
7fe869cf9000-7fe869d01000 r-xp 00000000 08:03 1861441                    /usr/lib64/python2.7/lib-dynload/_ssl.so
7fe869d01000-7fe869f00000 ---p 00008000 08:03 1861441                    /usr/lib64/python2.7/lib-dynload/_ssl.so
7fe869f00000-7fe869f01000 r--p 00007000 08:03 1861441                    /usr/lib64/python2.7/lib-dynload/_ssl.so
7fe869f01000-7fe869f02000 rw-p 00008000 08:03 1861441                    /usr/lib64/python2.7/lib-dynload/_ssl.so
7fe869f02000-7fe869f10000 r-xp 00000000 08:03 1859528                    /usr/lib64/python2.7/lib-dynload/_socket.so
7fe869f10000-7fe86a10f000 ---p 0000e000 08:03 1859528                    /usr/lib64/python2.7/lib-dynload/_socket.so
7fe86a10f000-7fe86a110000 r--p 0000d000 08:03 1859528                    /usr/lib64/python2.7/lib-dynload/_socket.so
7fe86a110000-7fe86a115000 rw-p 0000e000 08:03 1859528                    /usr/lib64/python2.7/lib-dynload/_socket.so
7fe86a115000-7fe86a295000 rw-p 00000000 00:00 0 
7fe86a295000-7fe86a299000 r-xp 00000000 08:03 1843425                    /usr/lib64/libuuid.so.1.3.0
7fe86a299000-7fe86a498000 ---p 00004000 08:03 1843425                    /usr/lib64/libuuid.so.1.3.0
7fe86a498000-7fe86a499000 r--p 00003000 08:03 1843425                    /usr/lib64/libuuid.so.1.3.0
7fe86a499000-7fe86a49a000 rw-p 00004000 08:03 1843425                    /usr/lib64/libuuid.so.1.3.0
7fe86a49a000-7fe86a49d000 r-xp 00000000 08:03 1859412                    /usr/lib64/python2.7/lib-dynload/_random.so
7fe86a49d000-7fe86a69c000 ---p 00003000 08:03 1859412                    /usr/lib64/python2.7/lib-dynload/_random.so
7fe86a69c000-7fe86a69d000 r--p 00002000 08:03 1859412                    /usr/lib64/python2.7/lib-dynload/_random.so
7fe86a69d000-7fe86a69e000 rw-p 00003000 08:03 1859412                    /usr/lib64/python2.7/lib-dynload/_random.so
7fe86a69e000-7fe86a6fb000 r-xp 00000000 08:03 1048666                    /lib64/libssl.so.1.0.0
7fe86a6fb000-7fe86a8fb000 ---p 0005d000 08:03 1048666                    /lib64/libssl.so.1.0.0
7fe86a8fb000-7fe86a8ff000 r--p 0005d000 08:03 1048666                    /lib64/libssl.so.1.0.0
7fe86a8ff000-7fe86a905000 rw-p 00061000 08:03 1048666                    /lib64/libssl.so.1.0.0
7fe86a905000-7fe86a909000 r-xp 00000000 08:03 1861439                    /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fe86a909000-7fe86ab08000 ---p 00004000 08:03 1861439                    /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fe86ab08000-7fe86ab09000 r--p 00003000 08:03 1861439                    /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fe86ab09000-7fe86ab0a000 rw-p 00004000 08:03 1861439                    /usr/lib64/python2.7/lib-dynload/_hashlib.so
7fe86ab0a000-7fe86ab12000 r-xp 00000000 08:03 1860649                    /usr/lib64/python2.7/lib-dynload/math.so
7fe86ab12000-7fe86ad11000 ---p 00008000 08:03 1860649                    /usr/lib64/python2.7/lib-dynload/math.so
7fe86ad11000-7fe86ad12000 r--p 00007000 08:03 1860649                    /usr/lib64/python2.7/lib-dynload/math.so
7fe86ad12000-7fe86ad14000 rw-p 00008000 08:03 1860649                    /usr/lib64/python2.7/lib-dynload/math.so
7fe86ad14000-7fe86ad54000 rw-p 00000000 00:00 0 
7fe86ad54000-7fe86ad73000 r-xp 00000000 08:03 1857913                    /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fe86ad73000-7fe86af73000 ---p 0001f000 08:03 1857913                    /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fe86af73000-7fe86af74000 r--p 0001f000 08:03 1857913                    /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fe86af74000-7fe86af78000 rw-p 00020000 08:03 1857913                    /usr/lib64/python2.7/lib-dynload/_ctypes.so
7fe86af78000-7fe86afb9000 rw-p 00000000 00:00 0 
7fe86afb9000-7fe86afd5000 r-xp 00000000 08:03 1857935                    /usr/lib64/python2.7/lib-dynload/_io.so
7fe86afd5000-7fe86b1d5000 ---p 0001c000 08:03 1857935                    /usr/lib64/python2.7/lib-dynload/_io.so
7fe86b1d5000-7fe86b1d6000 r--p 0001c000 08:03 1857935                    /usr/lib64/python2.7/lib-dynload/_io.so
7fe86b1d6000-7fe86b1e0000 rw-p 0001d000 08:03 1857935                    /usr/lib64/python2.7/lib-dynload/_io.so
7fe86b1e0000-7fe86b206000 r-xp 00000000 08:03 1838741                    /usr/lib64/libvshadow.so.1.0.0
7fe86b206000-7fe86b406000 ---p 00026000 08:03 1838741                    /usr/lib64/libvshadow.so.1.0.0
7fe86b406000-7fe86b407000 r--p 00026000 08:03 1838741                    /usr/lib64/libvshadow.so.1.0.0
7fe86b407000-7fe86b408000 rw-p 00027000 08:03 1838741                    /usr/lib64/libvshadow.so.1.0.0
7fe86b408000-7fe86b41f000 r-xp 00000000 08:03 1863290                    /usr/lib64/python2.7/site-packages/pyvshadow.so
7fe86b41f000-7fe86b61e000 ---p 00017000 08:03 1863290                    /usr/lib64/python2.7/site-packages/pyvshadow.so
7fe86b61e000-7fe86b61f000 r--p 00016000 08:03 1863290                    /usr/lib64/python2.7/site-packages/pyvshadow.so
7fe86b61f000-7fe86b621000 rw-p 00017000 08:03 1863290                    /usr/lib64/python2.7/site-packages/pyvshadow.so
7fe86b621000-7fe86b711000 r-xp 00000000 08:03 1864008                    /usr/lib64/libvmdk.so.1.0.0
7fe86b711000-7fe86b911000 ---p 000f0000 08:03 1864008                    /usr/lib64/libvmdk.so.1.0.0
7fe86b911000-7fe86b913000 r--p 000f0000 08:03 1864008                    /usr/lib64/libvmdk.so.1.0.0
7fe86b913000-7fe86b914000 rw-p 000f2000 08:03 1864008                    /usr/lib64/libvmdk.so.1.0.0
7fe86b914000-7fe86b9b8000 r-xp 00000000 08:03 1863291                    /usr/lib64/python2.7/site-packages/pyvmdk.so
7fe86b9b8000-7fe86bbb8000 ---p 000a4000 08:03 1863291                    /usr/lib64/python2.7/site-packages/pyvmdk.so
7fe86bbb8000-7fe86bbba000 r--p 000a4000 08:03 1863291                    /usr/lib64/python2.7/site-packages/pyvmdk.so
7fe86bbba000-7fe86bbbc000 rw-p 000a6000 08:03 1863291                    /usr/lib64/python2.7/site-packages/pyvmdk.so
7fe86bbbc000-7fe86bbe3000 r-xp 00000000 08:03 1864009                    /usr/lib64/libvhdi.so.1.0.0
7fe86bbe3000-7fe86bde2000 ---p 00027000 08:03 1864009                    /usr/lib64/libvhdi.so.1.0.0
7fe86bde2000-7fe86bde3000 r--p 00026000 08:03 1864009                    /usr/lib64/libvhdi.so.1.0.0
7fe86bde3000-7fe86bde4000 rw-p 00027000 08:03 1864009                    /usr/lib64/libvhdi.so.1.0.0
7fe86bde4000-7fe86bdee000 r-xp 00000000 08:03 1836609                    /usr/lib64/python2.7/site-packages/pyvhdi.so
7fe86bdee000-7fe86bfed000 ---p 0000a000 08:03 1836609                    /usr/lib64/python2.7/site-packages/pyvhdi.so
7fe86bfed000-7fe86bfee000 r--p 00009000 08:03 1836609                    /usr/lib64/python2.7/site-packages/pyvhdi.so
7fe86bfee000-7fe86bfef000 rw-p 0000a000 08:03 1836609                    /usr/lib64/python2.7/site-packages/pyvhdi.so
7fe86bfef000-7fe86c02f000 rw-p 00000000 00:00 0 
7fe86c02f000-7fe86c045000 r-xp 00000000 08:03 1048704                    /lib64/libgcc_s.so.1
7fe86c045000-7fe86c244000 ---p 00016000 08:03 1048704                    /lib64/libgcc_s.so.1
7fe86c244000-7fe86c245000 r--p 00015000 08:03 1048704                    /lib64/libgcc_s.so.1
7fe86c245000-7fe86c246000 rw-p 00016000 08:03 1048704                    /lib64/libgcc_s.so.1
7fe86c246000-7fe86c330000 r-xp 00000000 08:03 1835518                    /usr/lib64/libstdc++.so.6.0.19
7fe86c330000-7fe86c52f000 ---p 000ea000 08:03 1835518                    /usr/lib64/libstdc++.so.6.0.19
7fe86c52f000-7fe86c537000 r--p 000e9000 08:03 1835518                    /usr/lib64/libstdc++.so.6.0.19
7fe86c537000-7fe86c539000 rw-p 000f1000 08:03 1835518                    /usr/lib64/libstdc++.so.6.0.19
7fe86c539000-7fe86c54e000 rw-p 00000000 00:00 0 
7fe86c54e000-7fe86c55c000 r-xp 00000000 08:03 1837889                    /usr/lib64/libtalloc.so.2.1.1
7fe86c55c000-7fe86c75b000 ---p 0000e000 08:03 1837889                    /usr/lib64/libtalloc.so.2.1.1
7fe86c75b000-7fe86c75c000 r--p 0000d000 08:03 1837889                    /usr/lib64/libtalloc.so.2.1.1
7fe86c75c000-7fe86c75d000 rw-p 0000e000 08:03 1837889                    /usr/lib64/libtalloc.so.2.1.1
7fe86c75d000-7fe86c888000 r-xp 00000000 08:03 1864004                    /usr/lib64/libtsk.so.10.2.0
7fe86c888000-7fe86ca87000 ---p 0012b000 08:03 1864004                    /usr/lib64/libtsk.so.10.2.0
7fe86ca87000-7fe86ca89000 r--p 0012a000 08:03 1864004                    /usr/lib64/libtsk.so.10.2.0
7fe86ca89000-7fe86ca8e000 rw-p 0012c000 08:03 1864004                    /usr/lib64/libtsk.so.10.2.0
7fe86ca8e000-7fe86cab2000 r-xp 00000000 08:03 1837525                    /usr/lib64/python2.7/site-packages/pytsk3.so
7fe86cab2000-7fe86ccb2000 ---p 00024000 08:03 1837525                    /usr/lib64/python2.7/site-packages/pytsk3.so
7fe86ccb2000-7fe86ccb3000 r--p 00024000 08:03 1837525                    /usr/lib64/python2.7/site-packages/pytsk3.so
7fe86ccb3000-7fe86ccbd000 rw-p 00025000 08:03 1837525                    /usr/lib64/python2.7/site-packages/pytsk3.so
7fe86ccbd000-7fe86ccbe000 rw-p 00000000 00:00 0 
7fe86ccbe000-7fe86ccc0000 r-xp 00000000 08:03 1860427                    /usr/lib64/python2.7/lib-dynload/grp.so
7fe86ccc0000-7fe86cebf000 ---p 00002000 08:03 1860427                    /usr/lib64/python2.7/lib-dynload/grp.so
7fe86cebf000-7fe86cec0000 r--p 00001000 08:03 1860427                    /usr/lib64/python2.7/lib-dynload/grp.so
7fe86cec0000-7fe86cec1000 rw-p 00002000 08:03 1860427                    /usr/lib64/python2.7/lib-dynload/grp.so
7fe86cec1000-7fe86cf01000 rw-p 00000000 00:00 0 
7fe86cf01000-7fe86cf53000 r-xp 00000000 08:03 1864011                    /usr/lib64/libsmraw.so.1.0.0
7fe86cf53000-7fe86d152000 ---p 00052000 08:03 1864011                    /usr/lib64/libsmraw.so.1.0.0
7fe86d152000-7fe86d153000 r--p 00051000 08:03 1864011                    /usr/lib64/libsmraw.so.1.0.0
7fe86d153000-7fe86d154000 rw-p 00052000 08:03 1864011                    /usr/lib64/libsmraw.so.1.0.0
7fe86d154000-7fe86d15f000 r-xp 00000000 08:03 1842242                    /usr/lib64/python2.7/site-packages/pysmraw.so
7fe86d15f000-7fe86d35e000 ---p 0000b000 08:03 1842242                    /usr/lib64/python2.7/site-packages/pysmraw.so
7fe86d35e000-7fe86d35f000 r--p 0000a000 08:03 1842242                    /usr/lib64/python2.7/site-packages/pysmraw.so
7fe86d35f000-7fe86d360000 rw-p 0000b000 08:03 1842242                    /usr/lib64/python2.7/site-packages/pysmraw.so
7fe86d360000-7fe86d387000 r-xp 00000000 08:03 1842846                    /usr/lib64/libqcow.so.1.0.0
7fe86d387000-7fe86d586000 ---p 00027000 08:03 1842846                    /usr/lib64/libqcow.so.1.0.0
7fe86d586000-7fe86d587000 r--p 00026000 08:03 1842846                    /usr/lib64/libqcow.so.1.0.0
7fe86d587000-7fe86d588000 rw-p 00027000 08:03 1842846                    /usr/lib64/libqcow.so.1.0.0
7fe86d588000-7fe86d591000 r-xp 00000000 08:03 1864003                    /usr/lib64/python2.7/site-packages/pyqcow.so
7fe86d591000-7fe86d791000 ---p 00009000 08:03 1864003                    /usr/lib64/python2.7/site-packages/pyqcow.so
7fe86d791000-7fe86d792000 r--p 00009000 08:03 1864003                    /usr/lib64/python2.7/site-packages/pyqcow.so
7fe86d792000-7fe86d793000 rw-p 0000a000 08:03 1864003                    /usr/lib64/python2.7/site-packages/pyqcow.so
7fe86d793000-7fe86d7a2000 r-xp 00000000 08:03 1864418                    /usr/lib64/libsmdev.so.1.0.0
7fe86d7a2000-7fe86d9a1000 ---p 0000f000 08:03 1864418                    /usr/lib64/libsmdev.so.1.0.0
7fe86d9a1000-7fe86d9a2000 r--p 0000e000 08:03 1864418                    /usr/lib64/libsmdev.so.1.0.0
7fe86d9a2000-7fe86d9a3000 rw-p 0000f000 08:03 1864418                    /usr/lib64/libsmdev.so.1.0.0
7fe86d9a3000-7fe86d9aa000 r-xp 00000000 08:03 1853540                    /usr/lib64/python2.7/site-packages/pysmdev.so
7fe86d9aa000-7fe86dba9000 ---p 00007000 08:03 1853540                    /usr/lib64/python2.7/site-packages/pysmdev.so
7fe86dba9000-7fe86dbaa000 r--p 00006000 08:03 1853540                    /usr/lib64/python2.7/site-packages/pysmdev.so
7fe86dbaa000-7fe86dbab000 rw-p 00007000 08:03 1853540                    /usr/lib64/python2.7/site-packages/pysmdev.so
7fe86dbab000-7fe86dcab000 rw-p 00000000 00:00 0 
7fe86dcab000-7fe86dd72000 r-xp 00000000 08:03 1837900                    /usr/lib64/libewf.so.2.0.0
7fe86dd72000-7fe86df71000 ---p 000c7000 08:03 1837900                    /usr/lib64/libewf.so.2.0.0
7fe86df71000-7fe86df72000 r--p 000c6000 08:03 1837900                    /usr/lib64/libewf.so.2.0.0
7fe86df72000-7fe86df74000 rw-p 000c7000 08:03 1837900                    /usr/lib64/libewf.so.2.0.0
7fe86df74000-7fe86df88000 r-xp 00000000 08:03 1853574                    /usr/lib64/python2.7/site-packages/pyewf.so
7fe86df88000-7fe86e187000 ---p 00014000 08:03 1853574                    /usr/lib64/python2.7/site-packages/pyewf.so
7fe86e187000-7fe86e188000 r--p 00013000 08:03 1853574                    /usr/lib64/python2.7/site-packages/pyewf.so
7fe86e188000-7fe86e18a000 rw-p 00014000 08:03 1853574                    /usr/lib64/python2.7/site-packages/pyewf.so
7fe86e18a000-7fe86e18e000 r-xp 00000000 08:03 1860944                    /usr/lib64/python2.7/lib-dynload/zlib.so
7fe86e18e000-7fe86e38d000 ---p 00004000 08:03 1860944                    /usr/lib64/python2.7/lib-dynload/zlib.so
7fe86e38d000-7fe86e38e000 r--p 00003000 08:03 1860944                    /usr/lib64/python2.7/lib-dynload/zlib.so
7fe86e38e000-7fe86e390000 rw-p 00004000 08:03 1860944                    /usr/lib64/python2.7/lib-dynload/zlib.so
7fe86e390000-7fe86e39e000 r-xp 00000000 08:03 1842343                    /usr/lib64/libbz2.so.1.0.6
7fe86e39e000-7fe86e59d000 ---p 0000e000 08:03 1842343                    /usr/lib64/libbz2.so.1.0.6
7fe86e59d000-7fe86e59e000 r--p 0000d000 08:03 1842343                    /usr/lib64/libbz2.so.1.0.6
7fe86e59e000-7fe86e59f000 rw-p 0000e000 08:03 1842343                    /usr/lib64/libbz2.so.1.0.6
7fe86e59f000-7fe86e5a6000 r-xp 00000000 08:03 1859682                    /usr/lib64/python2.7/lib-dynload/bz2.so
7fe86e5a6000-7fe86e7a5000 ---p 00007000 08:03 1859682                    /usr/lib64/python2.7/lib-dynload/bz2.so
7fe86e7a5000-7fe86e7a6000 r--p 00006000 08:03 1859682                    /usr/lib64/python2.7/lib-dynload/bz2.so
7fe86e7a6000-7fe86e7a8000 rw-p 00007000 08:03 1859682                    /usr/lib64/python2.7/lib-dynload/bz2.so
7fe86e7a8000-7fe86e7e8000 rw-p 00000000 00:00 0 
7fe86e7e8000-7fe86e7f9000 r-xp 00000000 08:03 1859918                    /usr/lib64/python2.7/lib-dynload/datetime.so
7fe86e7f9000-7fe86e9f9000 ---p 00011000 08:03 1859918                    /usr/lib64/python2.7/lib-dynload/datetime.so
7fe86e9f9000-7fe86e9fa000 r--p 00011000 08:03 1859918                    /usr/lib64/python2.7/lib-dynload/datetime.so
7fe86e9fa000-7fe86e9fe000 rw-p 00012000 08:03 1859918                    /usr/lib64/python2.7/lib-dynload/datetime.so
7fe86e9fe000-7fe86ea3e000 rw-p 00000000 00:00 0 
7fe86ea3e000-7fe86ea42000 r-xp 00000000 08:03 1852116                    /usr/lib64/libcsplit.so.1.0.0
7fe86ea42000-7fe86ec41000 ---p 00004000 08:03 1852116                    /usr/lib64/libcsplit.so.1.0.0
7fe86ec41000-7fe86ec42000 r--p 00003000 08:03 1852116                    /usr/lib64/libcsplit.so.1.0.0
7fe86ec42000-7fe86ec43000 rw-p 00004000 08:03 1852116                    /usr/lib64/libcsplit.so.1.0.0
7fe86ec43000-7fe86ee3a000 r-xp 00000000 08:03 1048664                    /lib64/libcrypto.so.1.0.0
7fe86ee3a000-7fe86f039000 ---p 001f7000 08:03 1048664                    /lib64/libcrypto.so.1.0.0
7fe86f039000-7fe86f054000 r--p 001f6000 08:03 1048664                    /lib64/libcrypto.so.1.0.0
7fe86f054000-7fe86f061000 rw-p 00211000 08:03 1048664                    /lib64/libcrypto.so.1.0.0
7fe86f061000-7fe86f065000 rw-p 00000000 00:00 0 
7fe86f065000-7fe86f067000 r-xp 00000000 08:03 1837214                    /usr/lib64/libcerror.so.1.0.0
7fe86f067000-7fe86f266000 ---p 00002000 08:03 1837214                    /usr/lib64/libcerror.so.1.0.0
7fe86f266000-7fe86f267000 r--p 00001000 08:03 1837214                    /usr/lib64/libcerror.so.1.0.0
7fe86f267000-7fe86f268000 rw-p 00002000 08:03 1837214                    /usr/lib64/libcerror.so.1.0.0
7fe86f268000-7fe86f26e000 r-xp 00000000 08:03 1836692                    /usr/lib64/libcpath.so.1.0.0
7fe86f26e000-7fe86f46d000 ---p 00006000 08:03 1836692                    /usr/lib64/libcpath.so.1.0.0
7fe86f46d000-7fe86f46e000 r--p 00005000 08:03 1836692                    /usr/lib64/libcpath.so.1.0.0
7fe86f46e000-7fe86f46f000 rw-p 00006000 08:03 1836692                    /usr/lib64/libcpath.so.1.0.0
7fe86f46f000-7fe86f50b000 r-xp 00000000 08:03 1842272                    /usr/lib64/libcfile.so.1.0.0
7fe86f50b000-7fe86f70b000 ---p 0009c000 08:03 1842272                    /usr/lib64/libcfile.so.1.0.0
7fe86f70b000-7fe86f70d000 r--p 0009c000 08:03 1842272                    /usr/lib64/libcfile.so.1.0.0
7fe86f70d000-7fe86f70e000 rw-p 0009e000 08:03 1842272                    /usr/lib64/libcfile.so.1.0.0
7fe86f70e000-7fe86f7a6000 r-xp 00000000 08:03 1837338                    /usr/lib64/libuna.so.1.0.0
7fe86f7a6000-7fe86f9a6000 ---p 00098000 08:03 1837338                    /usr/lib64/libuna.so.1.0.0
7fe86f9a6000-7fe86f9a8000 r--p 00098000 08:03 1837338                    /usr/lib64/libuna.so.1.0.0
7fe86f9a8000-7fe86f9a9000 rw-p 0009a000 08:03 1837338                    /usr/lib64/libuna.so.1.0.0
7fe86f9a9000-7fe86f9b0000 r-xp 00000000 08:03 1836932                    /usr/lib64/libcthreads.so.1.0.0
7fe86f9b0000-7fe86fbaf000 ---p 00007000 08:03 1836932                    /usr/lib64/libcthreads.so.1.0.0
7fe86fbaf000-7fe86fbb0000 r--p 00006000 08:03 1836932                    /usr/lib64/libcthreads.so.1.0.0
7fe86fbb0000-7fe86fbb1000 rw-p 00007000 08:03 1836932                    /usr/lib64/libcthreads.so.1.0.0
7fe86fbb1000-7fe86fbb5000 r-xp 00000000 08:03 1837205                    /usr/lib64/libcaes.so.1.0.0
7fe86fbb5000-7fe86fdb4000 ---p 00004000 08:03 1837205                    /usr/lib64/libcaes.so.1.0.0
7fe86fdb4000-7fe86fdb5000 r--p 00003000 08:03 1837205                    /usr/lib64/libcaes.so.1.0.0
7fe86fdb5000-7fe86fdb6000 rw-p 00004000 08:03 1837205                    /usr/lib64/libcaes.so.1.0.0
7fe86fdb6000-7fe86fdbd000 r-xp 00000000 08:03 1853117                    /usr/lib64/libhmac.so.1.0.0
7fe86fdbd000-7fe86ffbc000 ---p 00007000 08:03 1853117                    /usr/lib64/libhmac.so.1.0.0
7fe86ffbc000-7fe86ffbd000 r--p 00006000 08:03 1853117                    /usr/lib64/libhmac.so.1.0.0
7fe86ffbd000-7fe86ffbe000 rw-p 00007000 08:03 1853117                    /usr/lib64/libhmac.so.1.0.0
7fe86ffbe000-7fe86ffc0000 r-xp 00000000 08:03 1852218                    /usr/lib64/libcnotify.so.1.0.0
7fe86ffc0000-7fe8701bf000 ---p 00002000 08:03 1852218                    /usr/lib64/libcnotify.so.1.0.0
7fe8701bf000-7fe8701c0000 r--p 00001000 08:03 1852218                    /usr/lib64/libcnotify.so.1.0.0
7fe8701c0000-7fe8701c1000 rw-p 00002000 08:03 1852218                    /usr/lib64/libcnotify.so.1.0.0
7fe8701c1000-7fe8701c4000 r-xp 00000000 08:03 1852227                    /usr/lib64/libclocale.so.1.0.0
7fe8701c4000-7fe8703c3000 ---p 00003000 08:03 1852227                    /usr/lib64/libclocale.so.1.0.0
7fe8703c3000-7fe8703c4000 r--p 00002000 08:03 1852227                    /usr/lib64/libclocale.so.1.0.0
7fe8703c4000-7fe8703c5000 rw-p 00003000 08:03 1852227                    /usr/lib64/libclocale.so.1.0.0
7fe8703c5000-7fe8703e1000 r-xp 00000000 08:03 1843062                    /usr/lib64/libcdata.so.1.0.0
7fe8703e1000-7fe8705e0000 ---p 0001c000 08:03 1843062                    /usr/lib64/libcdata.so.1.0.0
7fe8705e0000-7fe8705e1000 r--p 0001b000 08:03 1843062                    /usr/lib64/libcdata.so.1.0.0
7fe8705e1000-7fe8705e2000 rw-p 0001c000 08:03 1843062                    /usr/lib64/libcdata.so.1.0.0
7fe8705e2000-7fe8705e7000 r-xp 00000000 08:03 1852087                    /usr/lib64/libfguid.so.1.0.0
7fe8705e7000-7fe8707e6000 ---p 00005000 08:03 1852087                    /usr/lib64/libfguid.so.1.0.0
7fe8707e6000-7fe8707e7000 r--p 00004000 08:03 1852087                    /usr/lib64/libfguid.so.1.0.0
7fe8707e7000-7fe8707e8000 rw-p 00005000 08:03 1852087                    /usr/lib64/libfguid.so.1.0.0
7fe8707e8000-7fe8707fb000 r-xp 00000000 08:03 1837902                    /usr/lib64/libbfio.so.1.0.0
7fe8707fb000-7fe8709fa000 ---p 00013000 08:03 1837902                    /usr/lib64/libbfio.so.1.0.0
7fe8709fa000-7fe8709fb000 r--p 00012000 08:03 1837902                    /usr/lib64/libbfio.so.1.0.0
7fe8709fb000-7fe8709fc000 rw-p 00013000 08:03 1837902                    /usr/lib64/libbfio.so.1.0.0
7fe8709fc000-7fe870ae5000 r-xp 00000000 08:03 1864017                    /usr/lib64/libbde.so.1.0.0
7fe870ae5000-7fe870ce5000 ---p 000e9000 08:03 1864017                    /usr/lib64/libbde.so.1.0.0
7fe870ce5000-7fe870ce7000 r--p 000e9000 08:03 1864017                    /usr/lib64/libbde.so.1.0.0
7fe870ce7000-7fe870ce8000 rw-p 000eb000 08:03 1864017                    /usr/lib64/libbde.so.1.0.0
7fe870ce8000-7fe870d8d000 r-xp 00000000 08:03 1852401                    /usr/lib64/python2.7/site-packages/pybde.so
7fe870d8d000-7fe870f8d000 ---p 000a5000 08:03 1852401                    /usr/lib64/python2.7/site-packages/pybde.so
7fe870f8d000-7fe870f8f000 r--p 000a5000 08:03 1852401                    /usr/lib64/python2.7/site-packages/pybde.so
7fe870f8f000-7fe870f91000 rw-p 000a7000 08:03 1852401                    /usr/lib64/python2.7/site-packages/pybde.so
7fe870f91000-7fe871011000 rw-p 00000000 00:00 0 
7fe871011000-7fe871024000 r-xp 00000000 08:03 1859683                    /usr/lib64/python2.7/lib-dynload/cPickle.so
7fe871024000-7fe871223000 ---p 00013000 08:03 1859683                    /usr/lib64/python2.7/lib-dynload/cPickle.so
7fe871223000-7fe871224000 r--p 00012000 08:03 1859683                    /usr/lib64/python2.7/lib-dynload/cPickle.so
7fe871224000-7fe871225000 rw-p 00013000 08:03 1859683                    /usr/lib64/python2.7/lib-dynload/cPickle.so
7fe871225000-7fe87122b000 r-xp 00000000 08:03 1859405                    /usr/lib64/python2.7/lib-dynload/_multiprocessing.so
7fe87122b000-7fe87142a000 ---p 00006000 08:03 1859405                    /usr/lib64/python2.7/lib-dynload/_multiprocessing.so
7fe87142a000-7fe87142b000 r--p 00005000 08:03 1859405                    /usr/lib64/python2.7/lib-dynload/_multiprocessing.so
7fe87142b000-7fe87142c000 rw-p 00006000 08:03 1859405                    /usr/lib64/python2.7/lib-dynload/_multiprocessing.so
7fe87142c000-7fe871441000 r-xp 00000000 08:03 1048685                    /lib64/libz.so.1.2.8
7fe871441000-7fe871640000 ---p 00015000 08:03 1048685                    /lib64/libz.so.1.2.8
7fe871640000-7fe871641000 r--p 00014000 08:03 1048685                    /lib64/libz.so.1.2.8
7fe871641000-7fe871642000 rw-p 00015000 08:03 1048685                    /lib64/libz.so.1.2.8
7fe871642000-7fe871647000 r-xp 00000000 08:03 1859680                    /usr/lib64/python2.7/lib-dynload/binascii.so
7fe871647000-7fe871846000 ---p 00005000 08:03 1859680                    /usr/lib64/python2.7/lib-dynload/binascii.so
7fe871846000-7fe871847000 r--p 00004000 08:03 1859680                    /usr/lib64/python2.7/lib-dynload/binascii.so
7fe871847000-7fe871848000 rw-p 00005000 08:03 1859680                    /usr/lib64/python2.7/lib-dynload/binascii.so
7fe871848000-7fe87184b000 r-xp 00000000 08:03 1859920                    /usr/lib64/python2.7/lib-dynload/fcntl.so
7fe87184b000-7fe871a4a000 ---p 00003000 08:03 1859920                    /usr/lib64/python2.7/lib-dynload/fcntl.so
7fe871a4a000-7fe871a4b000 r--p 00002000 08:03 1859920                    /usr/lib64/python2.7/lib-dynload/fcntl.so
7fe871a4b000-7fe871a4c000 rw-p 00003000 08:03 1859920                    /usr/lib64/python2.7/lib-dynload/fcntl.so
7fe871a4c000-7fe871a51000 r-xp 00000000 08:03 1860874                    /usr/lib64/python2.7/lib-dynload/select.so
7fe871a51000-7fe871c50000 ---p 00005000 08:03 1860874                    /usr/lib64/python2.7/lib-dynload/select.so
7fe871c50000-7fe871c51000 r--p 00004000 08:03 1860874                    /usr/lib64/python2.7/lib-dynload/select.so
7fe871c51000-7fe871c53000 rw-p 00005000 08:03 1860874                    /usr/lib64/python2.7/lib-dynload/select.so
7fe871c54000-7fe871d54000 rw-p 00000000 00:00 0 
7fe871d54000-7fe871d58000 r-xp 00000000 08:03 1859847                    /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fe871d58000-7fe871f57000 ---p 00004000 08:03 1859847                    /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fe871f57000-7fe871f58000 r--p 00003000 08:03 1859847                    /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fe871f58000-7fe871f5a000 rw-p 00004000 08:03 1859847                    /usr/lib64/python2.7/lib-dynload/cStringIO.so
7fe871f5a000-7fe871f5e000 r-xp 00000000 08:03 1860936                    /usr/lib64/python2.7/lib-dynload/time.so
7fe871f5e000-7fe87215d000 ---p 00004000 08:03 1860936                    /usr/lib64/python2.7/lib-dynload/time.so
7fe87215d000-7fe87215e000 r--p 00003000 08:03 1860936                    /usr/lib64/python2.7/lib-dynload/time.so
7fe87215e000-7fe872160000 rw-p 00004000 08:03 1860936                    /usr/lib64/python2.7/lib-dynload/time.so
7fe872160000-7fe8721a0000 rw-p 00000000 00:00 0 
7fe8721a0000-7fe8721a7000 r-xp 00000000 08:03 1859529                    /usr/lib64/python2.7/lib-dynload/_struct.so
7fe8721a7000-7fe8723a6000 ---p 00007000 08:03 1859529                    /usr/lib64/python2.7/lib-dynload/_struct.so
7fe8723a6000-7fe8723a7000 r--p 00006000 08:03 1859529                    /usr/lib64/python2.7/lib-dynload/_struct.so
7fe8723a7000-7fe8723a9000 rw-p 00007000 08:03 1859529                    /usr/lib64/python2.7/lib-dynload/_struct.so
7fe8723a9000-7fe8723ad000 r-xp 00000000 08:03 1857941                    /usr/lib64/python2.7/lib-dynload/_locale.so
7fe8723ad000-7fe8725ac000 ---p 00004000 08:03 1857941                    /usr/lib64/python2.7/lib-dynload/_locale.so
7fe8725ac000-7fe8725ad000 r--p 00003000 08:03 1857941                    /usr/lib64/python2.7/lib-dynload/_locale.so
7fe8725ad000-7fe8725ae000 rw-p 00004000 08:03 1857941                    /usr/lib64/python2.7/lib-dynload/_locale.so
7fe8725ae000-7fe8725b1000 r-xp 00000000 08:03 1857927                    /usr/lib64/python2.7/lib-dynload/_functools.so
7fe8725b1000-7fe8727b0000 ---p 00003000 08:03 1857927                    /usr/lib64/python2.7/lib-dynload/_functools.so
7fe8727b0000-7fe8727b1000 r--p 00002000 08:03 1857927                    /usr/lib64/python2.7/lib-dynload/_functools.so
7fe8727b1000-7fe8727b2000 rw-p 00003000 08:03 1857927                    /usr/lib64/python2.7/lib-dynload/_functools.so
7fe8727b2000-7fe8727b7000 r-xp 00000000 08:03 1860881                    /usr/lib64/python2.7/lib-dynload/strop.so
7fe8727b7000-7fe8729b7000 ---p 00005000 08:03 1860881                    /usr/lib64/python2.7/lib-dynload/strop.so
7fe8729b7000-7fe8729b8000 r--p 00005000 08:03 1860881                    /usr/lib64/python2.7/lib-dynload/strop.so
7fe8729b8000-7fe8729ba000 rw-p 00006000 08:03 1860881                    /usr/lib64/python2.7/lib-dynload/strop.so
7fe8729ba000-7fe8729bd000 r-xp 00000000 08:03 1857932                    /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe8729bd000-7fe872bbc000 ---p 00003000 08:03 1857932                    /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe872bbc000-7fe872bbd000 r--p 00002000 08:03 1857932                    /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe872bbd000-7fe872bbf000 rw-p 00003000 08:03 1857932                    /usr/lib64/python2.7/lib-dynload/_heapq.so
7fe872bbf000-7fe872bc9000 r-xp 00000000 08:03 1860430                    /usr/lib64/python2.7/lib-dynload/itertools.so
7fe872bc9000-7fe872dc8000 ---p 0000a000 08:03 1860430                    /usr/lib64/python2.7/lib-dynload/itertools.so
7fe872dc8000-7fe872dc9000 r--p 00009000 08:03 1860430                    /usr/lib64/python2.7/lib-dynload/itertools.so
7fe872dc9000-7fe872dce000 rw-p 0000a000 08:03 1860430                    /usr/lib64/python2.7/lib-dynload/itertools.so
7fe872dce000-7fe872dd6000 r-xp 00000000 08:03 1860652                    /usr/lib64/python2.7/lib-dynload/operator.so
7fe872dd6000-7fe872fd6000 ---p 00008000 08:03 1860652                    /usr/lib64/python2.7/lib-dynload/operator.so
7fe872fd6000-7fe872fd7000 r--p 00008000 08:03 1860652                    /usr/lib64/python2.7/lib-dynload/operator.so
7fe872fd7000-7fe872fd9000 rw-p 00009000 08:03 1860652                    /usr/lib64/python2.7/lib-dynload/operator.so
7fe872fd9000-7fe872fdf000 r-xp 00000000 08:03 1857891                    /usr/lib64/python2.7/lib-dynload/_collections.so
7fe872fdf000-7fe8731de000 ---p 00006000 08:03 1857891                    /usr/lib64/python2.7/lib-dynload/_collections.so
7fe8731de000-7fe8731df000 r--p 00005000 08:03 1857891                    /usr/lib64/python2.7/lib-dynload/_collections.so
7fe8731df000-7fe8731e1000 rw-p 00006000 08:03 1857891                    /usr/lib64/python2.7/lib-dynload/_collections.so
7fe8731e1000-7fe873261000 rw-p 00000000 00:00 0 
7fe873261000-7fe873361000 r-xp 00000000 08:03 1048605                    /lib64/libm-2.19.so
7fe873361000-7fe873560000 ---p 00100000 08:03 1048605                    /lib64/libm-2.19.so
7fe873560000-7fe873561000 r--p 000ff000 08:03 1048605                    /lib64/libm-2.19.so
7fe873561000-7fe873562000 rw-p 00100000 08:03 1048605                    /lib64/libm-2.19.so
7fe873562000-7fe873564000 r-xp 00000000 08:03 1048673                    /lib64/libutil-2.19.so
7fe873564000-7fe873763000 ---p 00002000 08:03 1048673                    /lib64/libutil-2.19.so
7fe873763000-7fe873764000 r--p 00001000 08:03 1048673                    /lib64/libutil-2.19.so
7fe873764000-7fe873765000 rw-p 00002000 08:03 1048673                    /lib64/libutil-2.19.so
7fe873765000-7fe873768000 r-xp 00000000 08:03 1048602                    /lib64/libdl-2.19.so
7fe873768000-7fe873967000 ---p 00003000 08:03 1048602                    /lib64/libdl-2.19.so
7fe873967000-7fe873968000 r--p 00002000 08:03 1048602                    /lib64/libdl-2.19.so
7fe873968000-7fe873969000 rw-p 00003000 08:03 1048602                    /lib64/libdl-2.19.so
7fe873969000-7fe873b07000 r-xp 00000000 08:03 1048594                    /lib64/libc-2.19.so
7fe873b07000-7fe873d07000 ---p 0019e000 08:03 1048594                    /lib64/libc-2.19.so
7fe873d07000-7fe873d0b000 r--p 0019e000 08:03 1048594                    /lib64/libc-2.19.so
7fe873d0b000-7fe873d0d000 rw-p 001a2000 08:03 1048594                    /lib64/libc-2.19.so
7fe873d0d000-7fe873d11000 rw-p 00000000 00:00 0 
7fe873d11000-7fe873d29000 r-xp 00000000 08:03 1048648                    /lib64/libpthread-2.19.so
7fe873d29000-7fe873f28000 ---p 00018000 08:03 1048648                    /lib64/libpthread-2.19.so
7fe873f28000-7fe873f29000 r--p 00017000 08:03 1048648                    /lib64/libpthread-2.19.so
7fe873f29000-7fe873f2a000 rw-p 00018000 08:03 1048648                    /lib64/libpthread-2.19.so
7fe873f2a000-7fe873f2e000 rw-p 00000000 00:00 0 
7fe873f2e000-7fe87408f000 r-xp 00000000 08:03 1843350                    /usr/lib64/libpython2.7.so.1.0
7fe87408f000-7fe87428f000 ---p 00161000 08:03 1843350                    /usr/lib64/libpython2.7.so.1.0
7fe87428f000-7fe874290000 r--p 00161000 08:03 1843350                    /usr/lib64/libpython2.7.so.1.0
7fe874290000-7fe8742ce000 rw-p 00162000 08:03 1843350                    /usr/lib64/libpython2.7.so.1.0
7fe8742ce000-7fe8742de000 rw-p 00000000 00:00 0 
7fe8742de000-7fe8742df000 r-xp 00000000 08:03 1836524                    /usr/lib64/coreutils/libstdbuf.so
7fe8742df000-7fe8744df000 ---p 00001000 08:03 1836524                    /usr/lib64/coreutils/libstdbuf.so
7fe8744df000-7fe8744e0000 r--p 00001000 08:03 1836524                    /usr/lib64/coreutils/libstdbuf.so
7fe8744e0000-7fe8744e1000 rw-p 00002000 08:03 1836524                    /usr/lib64/coreutils/libstdbuf.so
7fe8744e1000-7fe874501000 r-xp 00000000 08:03 1048871                    /lib64/ld-2.19.so
7fe874523000-7fe874562000 r--p 00000000 08:03 1879236                    /usr/lib/locale/en_US.utf8/LC_CTYPE
7fe874562000-7fe8745e2000 rw-p 00000000 00:00 0 
7fe874613000-7fe8746d8000 rw-p 00000000 00:00 0 
7fe8746e0000-7fe8746e2000 rw-p 00000000 00:00 0 
7fe8746e2000-7fe8746e3000 rw-p 00000000 00:00 0 
7fe8746e3000-7fe8746e4000 rw-s 00000000 00:10 1138894                    /dev/shm/sem.57YgrG (deleted)
7fe8746e4000-7fe8746e5000 rw-s 00000000 00:10 1138893                    /dev/shm/sem.pYXiFv (deleted)
7fe8746e5000-7fe8746e6000 rw-s 00000000 00:10 1138892                    /dev/shm/sem.DnwlTk (deleted)
7fe8746e6000-7fe8746e7000 rw-s 00000000 00:10 1138890                    /dev/shm/sem.vnXo79 (deleted)
7fe8746e7000-7fe8746e8000 rw-s 00000000 00:10 1138889                    /dev/shm/sem.pUQtlZ (deleted)
7fe8746e8000-7fe8746e9000 rw-s 00000000 00:10 1138888                    /dev/shm/sem.V2zzzO (deleted)
7fe8746e9000-7fe8746ea000 rw-s 00000000 00:10 1138886                    /dev/shm/sem.PnbGND (deleted)
7fe8746ea000-7fe8746eb000 rw-s 00000000 00:10 1138885                    /dev/shm/sem.RiPO1s (deleted)
7fe8746eb000-7fe8746ec000 rw-s 00000000 00:10 1138884                    /dev/shm/sem.Xj5Xfi (deleted)
7fe8746ec000-7fe8746ee000 rw-p 00000000 00:00 0 
7fe8746ee000-7fe8746ef000 r--p 00000000 08:03 1877289                    /usr/lib/locale/en_US.utf8/LC_NUMERIC
7fe8746ef000-7fe8746f0000 r--p 00000000 08:03 1968763                    /usr/lib/locale/en_US.utf8/LC_TIME
7fe8746f0000-7fe8746f1000 r--p 00000000 08:03 1968744                    /usr/lib/locale/en_US.utf8/LC_MONETARY
7fe8746f1000-7fe8746f2000 r--p 00000000 08:03 1966764                    /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
7fe8746f2000-7fe8746f3000 r--p 00000000 08:03 1879241                    /usr/lib/locale/en_US.utf8/LC_PAPER
7fe8746f3000-7fe8746f4000 r--p 00000000 08:03 1877297                    /usr/lib/locale/en_US.utf8/LC_NAME
7fe8746f4000-7fe8746f5000 r--p 00000000 08:03 1967022                    /usr/lib/locale/en_US.utf8/LC_ADDRESS
7fe8746f5000-7fe8746f6000 r--p 00000000 08:03 1879244                    /usr/lib/locale/en_US.utf8/LC_TELEPHONE
7fe8746f6000-7fe8746f7000 r--p 00000000 08:03 1877300                    /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
7fe8746f7000-7fe8746f8000 r--p 00000000 08:03 1968532                    /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7fe8746f8000-7fe8746f9000 rwxp 00000000 00:00 0 
7fe8746f9000-7fe874700000 r--s 00000000 08:03 1877306                    /usr/lib64/gconv/gconv-modules.cache
7fe874700000-7fe874701000 rw-p 00000000 00:00 0 
7fe874701000-7fe874702000 r--p 00020000 08:03 1048871                    /lib64/ld-2.19.so
7fe874702000-7fe874703000 rw-p 00021000 08:03 1048871                    /lib64/ld-2.19.so
7fe874703000-7fe874704000 rw-p 00000000 00:00 0 
7fffc4675000-7fffc4696000 rw-p 00000000 00:00 0                          [stack]
7fffc46fd000-7fffc46ff000 r-xp 00000000 00:00 0                          [vdso]
7fffc46ff000-7fffc4701000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
joachimmetz commented 9 years ago

Nothing in the backtrace seems related to log2timeline, so I I wonder if something stomped on memory it should not have? (Can that happen in python?)

Yes it can, often a compiled C python module misbehaving. Since you're running on OSX the reason can be multiple.

How did you install the dependencies? Installed prebuilt? compiled them yourself? What versions of the dependencies do you have installed?

gregfreemyer commented 9 years ago

Yes it can, often a compiled C python module misbehaving.

Good old c code. That I understand.

Since you're running on OSX the reason can be multiple.

No, I'm running on Linux, just the image is of a Mac.

How did you install the dependencies? Installed prebuilt? compiled them yourself?

Compiled myself into rpms, then installed the rpms.

What versions of the dependencies do you have installed?

check_dependencies is running clean except one info message that a newer version of pyesedb is available

==== the below may make more sense on the mailing list.

Since I'm compiling the libyal dependencies in a non-standard way, the problem can be there easily.

Is there a reference setup i could run? I could setup a dedicated VM that builds the Libyal packages via the mechanism provided with plaso. opensuse and fedora are the Linux distros I know best, but I'm sure I could manage any Linux well enough to get that going. Are any of the developers routinely developing under Linux?

Then for situations like this and the one where IPC seems to have halted I could verify the finding in that VM and make sure it is not caused by the way I'm building the libyal rpms.

joachimmetz commented 9 years ago

Since I'm compiling the libyal dependencies in a non-standard way, the problem can be there easily.

Or the other C/C++ based depencies for that matter. Try:

gdb --ex r --args python log2timeline.py --single-process ...

See if you can generate a backtrace of a single process with line numbers. Based on your current backtrace I would say it's a bug in libtsk/pytsk3.

/lib64/libc.so.6(+0x730bf)[0x7fe8739dc0bf]
/lib64/libc.so.6(+0x7892e)[0x7fe8739e192e]
/usr/lib64/libtsk.so.10(hfs_file_read_special+0x615)[0x7fe86c7c7045]

Also see: http://plaso.kiddaland.net/developer/troubleshooting

gregfreemyer commented 9 years ago

I don't know if it is the same backtrace, but I got this when I ran log2timeline.py with a few day old git head in gdb:

Source path : /mnt-ewf/ewf1 Is storage media image or device : True Partition offset : 209735680 (0x0c805000)

/usr/lib/python2.7/site-packages/plaso/parsers/plist_plugins/airport.py(56)GetEntries() -> u'/RememberedNetworks', u'item', wifi['LastConnected'], description)

In the log file I got the below at the tail of the log at the same time:

2014-12-02 20:04:51,660 DEBUG PID:25548 [plist] Wrong plugin: plist_spotlight_volume for: com.apple.airport.preferences.plist 2014-12-02 20:04:51,660 DEBUG PID:25548 [plist] Wrong plugin: plist_appleaccount for: com.apple.airport.preferences.plist 2014-12-02 20:04:51,660 DEBUG PID:25548 Plist Plugin Used: plist_airport for: com.apple.airport.preferences.plist 2014-12-02 20:04:51,661 WARNING PID:25548 [plist] Unable to process file: type: OS, location: /mnt-ewf/ewf1 type: RAW type: TSK_PARTITION, location: /p2, part index: 5, start offset: 0x0c805000 type: TSK, inode: 5179769, location: /.MobileBackups/Computer/2014-11-15-231022/Volume/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist with error: 'LastConnected'. 2014-12-02 20:04:51,661 DEBUG PID:25548 The path specification that caused the error: type: OS, location: /mnt-ewf/ewf1 type: RAW type: TSK_PARTITION, location: /p2, part index: 5, start offset: 0x0c805000 type: TSK, inode: 5179769, location: /.MobileBackups/Computer/2014-11-15-231022/Volume/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

2014-12-02 20:04:51,661 ERROR PID:25548 'LastConnected' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser parser_object.Parse(self._parser_context, file_entry) File "/usr/lib/python2.7/site-packages/plaso/parsers/plist.py", line 150, in Parse plist_name=plist_name, top_level=top_level_object) File "/usr/lib/python2.7/site-packages/plaso/parsers/plist_plugins/interface.py", line 192, in Process top_level=top_level, match=match) File "/usr/lib/python2.7/site-packages/plaso/parsers/plist_plugins/airport.py", line 56, in GetEntries u'/RememberedNetworks', u'item', wifi['LastConnected'], description) KeyError: 'LastConnected'

After that I did "cont" so I'll post the next traceback in the the next comment. I have a feeling there are several different ones. Let me know if I need to create new issues for each traceback.

gregfreemyer commented 9 years ago

2nd traceback from running gdb:

On GDB output console:

(Pdb) cont /usr/lib/python2.7/site-packages/construct/core.py(305)_read_stream() -> raise FieldError("expected %d, found %d" % (length, len(data)))

From tail of logfile:

2014-12-02 20:14:17,562 DEBUG PID:25548 Not a bsm_log file (login.keychain) - Not a BSM File, unable to parse. 2014-12-02 20:14:17,562 DEBUG PID:25548 Trying to parse: login.keychain with parser: mac_keychain 2014-12-02 20:14:17,566 WARNING PID:25548 [mac_keychain] Unable to process file: type: OS, location: /mnt-ewf/ewf1 type: RAW type: TSK_PARTITION, location: /p2, part index: 5, start offset: 0x0c805000 type: TSK, inode: 5180593, location: /.MobileBackups/Computer/2014-11-15-231022/Volume/Users/M/Library/Keychains/login.keychain with error: expected 83886081, found 43865. 2014-12-02 20:14:17,566 DEBUG PID:25548 The path specification that caused the error: type: OS, location: /mnt-ewf/ewf1 type: RAW type: TSK_PARTITION, location: /p2, part index: 5, start offset: 0x0c805000 ty/Library/Keychains/login.keychain

2014-12-02 20:14:17,566 ERROR PID:25548 expected 83886081, found 43865 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/plaso/engine/worker.py", line 123, in _ParseFileEntryWithParser parser_object.Parse(self._parser_context, file_entry) File "/usr/lib/python2.7/site-packages/plaso/parsers/mac_keychain.py", line 490, in Parse parser_chain=parser_chain) File "/usr/lib/python2.7/site-packages/plaso/parsers/mac_keychain.py", line 254, in _ReadEntryApplication parser_context, file_entry, file_object, record.record_header, offset) File "/usr/lib/python2.7/site-packages/plaso/parsers/mac_keychain.py", line 322, in _ReadEntryHeader comments = self.TEXT.parse_stream(file_object) File "/usr/lib/python2.7/site-packages/construct/core.py", line 198, in parse_stream return self._parse(stream, Container()) File "/usr/lib/python2.7/site-packages/construct/core.py", line 288, in _parse return self._decode(self.subcon._parse(stream, context), context) File "/usr/lib/python2.7/site-packages/construct/core.py", line 288, in _parse return self._decode(self.subcon._parse(stream, context), context) File "/usr/lib/python2.7/site-packages/construct/core.py", line 733, in _parse subobj = sc._parse(stream, context) File "/usr/lib/python2.7/site-packages/construct/core.py", line 398, in _parse return _read_stream(stream, self.lengthfunc(context)) File "/usr/lib/python2.7/site-packages/construct/core.py", line 305, in _read_stream raise FieldError("expected %d, found %d" % (length, len(data))) FieldError: expected 83886081, found 43865

joachimmetz commented 9 years ago

Let's stick with the C stack trace in this issue and don't add noise to the issue. It makes the issue hard to follow for people.

Regarding the python tracebacks of certain parsers these are should not halt the tool. It is WIP to handle this without spamming the console output.

gregfreemyer commented 9 years ago

Okay,

I got 4 of the python backtraces total. Each time gdb stopped, but I just told it to continue. After that (and time) I got the C stack trace. It looks basically the same to me, so even though I installed lots of *.debuginfo packages it doesn't seem to have helped.

At the end of stack track / memory map, gdb did output:

Program received signal SIGABRT, Aborted. 0x00007ffff749c187 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. Missing separate debuginfos, use: zypper install libncurses5-debuginfo-5.9-52.2.3.x86_64 libreadline6-debuginfo-6.2-75.4.1.x86_64

I'll install those last 2 debuginfo packages, but I don't see that changing the stacktrace much.

Here's the stack trace that came out this time

(Pdb) cont * Error in `/usr/bin/python': free(): invalid pointer: 0x0000000025c4b120 * ======= Backtrace: ========= /lib64/libc.so.6(+0x730bf)[0x7ffff74da0bf] /lib64/libc.so.6(+0x7892e)[0x7ffff74df92e] /usr/lib64/libtsk.so.10(hfs_file_read_special+0x615)[0x7ffff02c5045] /usr/lib64/python2.7/site-packages/pytsk3.so(+0x1a2b9)[0x7ffff05a62b9] /usr/lib64/python2.7/site-packages/pytsk3.so(+0xb4ec)[0x7ffff05974ec] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x1295)[0x7ffff7af43e5] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7ffff7afa061] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7ffff7afa061] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x221)[0x7ffff7afa061] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xc74)[0x7ffff7af3dc4] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0x2a0e)[0x7ffff7af5b5e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x4fe)[0x7ffff7afa33e] /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7ffff7b27142] /usr/lib64/libpython2.7.so.1.0(+0x1078ad)[0x7ffff7b338ad] /usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7ffff7ac16ad] /usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x308)[0x7ffff7ac2294] /usr/lib64/libpython2.7.so.1.0(Py_Main+0xc60)[0x7ffff7ac9e63] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7ffff7488b05] /usr/bin/python[0x40078e]

gregfreemyer commented 9 years ago

I forgot to say, I still have gdb open at the command prompt if there is anything useful to query. It is a few years since I used gdb, so exact syntax would be appreciated.

joachimmetz commented 9 years ago

It looks basically the same to me, so even though I installed lots of *.debuginfo packages it doesn't seem to have helped.

You don't need all the debug symbol packages just those for the plaso dependencies, which I recall you built yourself. On Fedora these are auto generated by rpmbuild; not sure about your configuration.

Here's the stack trace that came out this time

Alas that does not help me much, as indicated I need the line number where the crash occurs to start looking without the actual data. I also don't see the frame numbers in your output. E.g.

#0  0x0000003457247e98 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=ap@entry=0x7fffffffdf08) at vfprintf.c:1615
#1  0x0000003457250ed9 in __printf (format=<optimized out>) at printf.c:34
#2  0x00000000004005e5 in main () at crash.c:10

However it seems the crash point is consistent, which hopefully means it is not a hard to troubleshoot bug once the line number is known.

An alternative approach would be to build libtsk and pytsk with debug symbols. See: http://code.google.com/p/pytsk/wiki/Troubleshooting. And replace the currently shared object with the debug symbol versions.

I forgot to say, I still have gdb open at the command prompt if there is anything useful to query.

That could be useful, thanks. Try:

frame 2
list
gregfreemyer commented 9 years ago

In theory I have debug symbols installed. I'll ask elsewhere to make sure I've done it right:

rpm -qa | grep tsk
python-tsk-debuginfo-0~20140506-5.1.x86_64
python-tsk-0~20140506-5.1.x86_64
libtsk10-debuginfo-4.1.3-4.1.x86_64
libtsk10-4.1.3-4.1.x86_64

Here's the gdb output:

(gdb) frame 2
#2  0x00007ffff74da0c4 in __libc_message (do_abort=do_abort@entry=2, 
    fmt=fmt@entry=0x7ffff75cc310 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
175     ../sysdeps/posix/libc_fatal.c: No such file or directory.
(gdb) list
170     in ../sysdeps/posix/libc_fatal.c
(gdb)

I will leave it in gdb for now.

joachimmetz commented 9 years ago

Since I see the line numbers here. So I'm wondering where you got the other backtrace from. Can you run in gdb:

bt
gregfreemyer commented 9 years ago

The previous back trace was just dumped on my konsole screen. I did not actually request it from gdb. bt works much better.

Remember I am running: python-tsk-0~20140506-5.1.x86_64 libtsk10-4.1.3-4.1.x86_64

> (gdb) bt
#0  0x00007ffff749c187 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff749d538 in __GI_abort () at abort.c:78
#2  0x00007ffff74da0c4 in __libc_message (do_abort=do_abort@entry=2, 
    fmt=fmt@entry=0x7ffff75cc310 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff74df92e in malloc_printerr (action=3, str=0x7ffff75c84ef "free(): invalid pointer", ptr=<optimized out>)
    at malloc.c:4991
#4  0x00007ffff02c5045 in hfs_file_read_special (a_fs_attr=<optimized out>, a_offset=<optimized out>, 
    a_buf=0x7fffdd38d034 "%PDF-1.4\r%\342\343\317\323\r\n480 0 obj\r<</Linearized 1/L 8455993/O 483/E 5268558/N 10/T 8446277/H [ 9756 1018]>>\rendobj\r        \rxref\r480 473\r0000000016 00000 n\r\n0000010946 00000 n\r\n0000011190 00000 n\r\n0000011252 "..., 
    a_len=<optimized out>) at hfs.c:3257
#5  0x00007ffff05a62b9 in File_read_random (self=<optimized out>, offset=<optimized out>, buff=<optimized out>, len=<optimized out>, 
    type=<optimized out>, id=<optimized out>, flags=TSK_FS_FILE_READ_FLAG_NONE) at tsk3.c:490
#6  0x00007ffff05974ec in pyFile_read_random (self=0x7fffdd4e97f0, args=<optimized out>, kwds=<optimized out>) at pytsk3.c:14333
#7  0x00007ffff7af43e5 in call_function (oparg=<optimized out>, pp_stack=0x7fffffffa560) at Python/ceval.c:4033
#8  PyEval_EvalFrameEx (f=f@entry=0x7fffe311a050, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#9  0x00007ffff7afa061 in PyEval_EvalCodeEx (co=0x7ffff09f83b0, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=2, kws=<optimized out>, kwcount=0, defs=0x7ffff09ee9e8, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#10 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=2, n=<optimized out>, pp_stack=0x7fffffffa790, func=<optimized out>)
    at Python/ceval.c:4129
#11 call_function (oparg=<optimized out>, pp_stack=0x7fffffffa790) at Python/ceval.c:4054
#12 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a1ba00, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#13 0x00007ffff7afa061 in PyEval_EvalCodeEx (co=0x7fffed328230, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=2, kws=<optimized out>, kwcount=0, defs=0x7fffed339268, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#14 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=2, n=<optimized out>, pp_stack=0x7fffffffa9c0, func=<optimized out>)
    at Python/ceval.c:4129
#15 call_function (oparg=<optimized out>, pp_stack=0x7fffffffa9c0) at Python/ceval.c:4054
#16 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a20a50, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#17 0x00007ffff7afa061 in PyEval_EvalCodeEx (co=0x7fffed3287b0, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=2, kws=<optimized out>, kwcount=0, defs=0x7fffed3392a8, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#18 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=2, n=<optimized out>, pp_stack=0x7fffffffabf0, func=<optimized out>)
    at Python/ceval.c:4129
#19 call_function (oparg=<optimized out>, pp_stack=0x7fffffffabf0) at Python/ceval.c:4054
#20 PyEval_EvalFrameEx (f=f@entry=0x1b98c9a0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#21 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=0x7fffebd7bbb0, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=4, kws=<optimized out>, kwcount=2, defs=0x7fffebd75ce8, defcount=3, closure=0x0)
    at Python/ceval.c:3265
#22 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=4, n=<optimized out>, pp_stack=0x7fffffffae20, func=<optimized out>)
    at Python/ceval.c:4129
#23 call_function (oparg=<optimized out>, pp_stack=0x7fffffffae20) at Python/ceval.c:4054
#24 PyEval_EvalFrameEx (f=f@entry=0x167930d0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#25 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=0x7fffebd7bd30, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=3, kws=<optimized out>, kwcount=0, defs=0x7fffebd8e828, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#26 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=3, n=<optimized out>, pp_stack=0x7fffffffb050, func=<optimized out>)
    at Python/ceval.c:4129
#27 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb050) at Python/ceval.c:4054
#28 PyEval_EvalFrameEx (f=f@entry=0x7fffe3052da8, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#29 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb1d0, 
    func=<optimized out>) at Python/ceval.c:4119
#30 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb1d0) at Python/ceval.c:4054
#31 PyEval_EvalFrameEx (f=f@entry=0x7fffe3050620, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#32 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb350, 
    func=<optimized out>) at Python/ceval.c:4119
#33 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb350) at Python/ceval.c:4054
#34 PyEval_EvalFrameEx (f=f@entry=0x7fffe311c050, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#35 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb4d0, 
    func=<optimized out>) at Python/ceval.c:4119
#36 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb4d0) at Python/ceval.c:4054
#37 PyEval_EvalFrameEx (f=f@entry=0x2bce760, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#38 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb650, 
    func=<optimized out>) at Python/ceval.c:4119
#39 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb650) at Python/ceval.c:4054
#40 PyEval_EvalFrameEx (f=f@entry=0x2bd9db0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#41 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb7d0, 
    func=<optimized out>) at Python/ceval.c:4119
#42 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb7d0) at Python/ceval.c:4054
#43 PyEval_EvalFrameEx (f=f@entry=0x150b8910, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#44 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffb950, 
    func=<optimized out>) at Python/ceval.c:4119
#45 call_function (oparg=<optimized out>, pp_stack=0x7fffffffb950) at Python/ceval.c:4054
#46 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a1dd38, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#47 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffbad0, 
    func=<optimized out>) at Python/ceval.c:4119
#48 call_function (oparg=<optimized out>, pp_stack=0x7fffffffbad0) at Python/ceval.c:4054
#49 PyEval_EvalFrameEx (f=f@entry=0x1223f130, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#50 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffbc50, 
    func=<optimized out>) at Python/ceval.c:4119
#51 call_function (oparg=<optimized out>, pp_stack=0x7fffffffbc50) at Python/ceval.c:4054
#52 PyEval_EvalFrameEx (f=f@entry=0xbdaf8d0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#53 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffbdd0, 
    func=<optimized out>) at Python/ceval.c:4119
#54 call_function (oparg=<optimized out>, pp_stack=0x7fffffffbdd0) at Python/ceval.c:4054
#55 PyEval_EvalFrameEx (f=f@entry=0x1222e7f0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#56 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffbf50, 
    func=<optimized out>) at Python/ceval.c:4119
#57 call_function (oparg=<optimized out>, pp_stack=0x7fffffffbf50) at Python/ceval.c:4054
#58 PyEval_EvalFrameEx (f=f@entry=0x12245b20, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#59 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc0d0, 
    func=<optimized out>) at Python/ceval.c:4119
#60 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc0d0) at Python/ceval.c:4054
#61 PyEval_EvalFrameEx (f=f@entry=0x17a91d0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#62 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc250, 
    func=<optimized out>) at Python/ceval.c:4119
#63 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc250) at Python/ceval.c:4054
#64 PyEval_EvalFrameEx (f=f@entry=0xdbf9420, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#65 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc3d0, 
    func=<optimized out>) at Python/ceval.c:4119
#66 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc3d0) at Python/ceval.c:4054
#67 PyEval_EvalFrameEx (f=f@entry=0x12054c00, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#68 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc550, 
    func=<optimized out>) at Python/ceval.c:4119
#69 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc550) at Python/ceval.c:4054
#70 PyEval_EvalFrameEx (f=f@entry=0x1190a80, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#71 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc6d0, 
    func=<optimized out>) at Python/ceval.c:4119
#72 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc6d0) at Python/ceval.c:4054
#73 PyEval_EvalFrameEx (f=f@entry=0x2bdc1b0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#74 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc850, 
    func=<optimized out>) at Python/ceval.c:4119
#75 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc850) at Python/ceval.c:4054
#76 PyEval_EvalFrameEx (f=f@entry=0x11873b0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#77 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffc9d0, 
    func=<optimized out>) at Python/ceval.c:4119
#78 call_function (oparg=<optimized out>, pp_stack=0x7fffffffc9d0) at Python/ceval.c:4054
#79 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a1b240, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#80 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=0x7fffe958d3b0, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=3, kws=<optimized out>, kwcount=1, defs=0x7fffe985df28, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#81 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=3, n=<optimized out>, pp_stack=0x7fffffffcc00, func=<optimized out>)
    at Python/ceval.c:4129
#82 call_function (oparg=<optimized out>, pp_stack=0x7fffffffcc00) at Python/ceval.c:4054
#83 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a20850, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#84 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=0x7fffe9585d30, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=2, kws=<optimized out>, kwcount=1, defs=0x7fffe984bf28, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#85 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=2, n=<optimized out>, pp_stack=0x7fffffffce30, func=<optimized out>)
    at Python/ceval.c:4129
#86 call_function (oparg=<optimized out>, pp_stack=0x7fffffffce30) at Python/ceval.c:4054
#87 PyEval_EvalFrameEx (f=f@entry=0x7fffe89ffe18, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#88 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffcfb0, 
    func=<optimized out>) at Python/ceval.c:4119
#89 call_function (oparg=<optimized out>, pp_stack=0x7fffffffcfb0) at Python/ceval.c:4054
#90 PyEval_EvalFrameEx (f=f@entry=0x7fffe88a55f0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#91 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=0x7fffe9585130, globals=<optimized out>, locals=locals@entry=0x0, 
    args=<optimized out>, argcount=argcount@entry=3, kws=<optimized out>, kwcount=1, defs=0x7fffe9546b28, defcount=1, closure=0x0)
    at Python/ceval.c:3265
#92 0x00007ffff7af3dc4 in fast_function (nk=<optimized out>, na=3, n=<optimized out>, pp_stack=0x7fffffffd1e0, func=<optimized out>)
    at Python/ceval.c:4129
#93 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd1e0) at Python/ceval.c:4054
#94 PyEval_EvalFrameEx (f=f@entry=0x1171a70, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#95 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffd360, 
    func=<optimized out>) at Python/ceval.c:4119
#96 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd360) at Python/ceval.c:4054
#97 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a107d0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#98 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffd4e0, 
    func=<optimized out>) at Python/ceval.c:4119
#99 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd4e0) at Python/ceval.c:4054
#100 PyEval_EvalFrameEx (f=f@entry=0x7fffe8a52b00, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#101 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffd660, 
    func=<optimized out>) at Python/ceval.c:4119
#102 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd660) at Python/ceval.c:4054
#103 PyEval_EvalFrameEx (f=f@entry=0x7686d0, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#104 0x00007ffff7af5b5e in fast_function (nk=<optimized out>, na=<optimized out>, n=<optimized out>, pp_stack=0x7fffffffd7e0, 
    func=<optimized out>) at Python/ceval.c:4119
#105 call_function (oparg=<optimized out>, pp_stack=0x7fffffffd7e0) at Python/ceval.c:4054
#106 PyEval_EvalFrameEx (f=f@entry=0x7ffff7f72050, throwflag=throwflag@entry=0) at Python/ceval.c:2679
#107 0x00007ffff7afa33e in PyEval_EvalCodeEx (co=co@entry=0x7ffff7e71e30, globals=globals@entry=0x7ffff7f5f168, 
    locals=locals@entry=0x7ffff7f5f168, args=args@entry=0x0, argcount=argcount@entry=0, kws=kws@entry=0x0, kwcount=kwcount@entry=0, 
    defs=defs@entry=0x0, defcount=defcount@entry=0, closure=closure@entry=0x0) at Python/ceval.c:3265
#108 0x00007ffff7b27142 in PyEval_EvalCode (co=co@entry=0x7ffff7e71e30, globals=globals@entry=0x7ffff7f5f168, 
    locals=locals@entry=0x7ffff7f5f168) at Python/ceval.c:673
#109 0x00007ffff7b338ad in run_mod (mod=mod@entry=0x6c6670, filename=filename@entry=0x7fffffffe113 "/usr/bin/log2timeline.py", 
    globals=globals@entry=0x7ffff7f5f168, locals=locals@entry=0x7ffff7f5f168, flags=flags@entry=0x7fffffffda30, 
    arena=arena@entry=0x635c70) at Python/pythonrun.c:1377
#110 0x00007ffff7ac16ad in PyRun_FileExFlags (fp=fp@entry=0x635a20, 
    filename=filename@entry=0x7fffffffe113 "/usr/bin/log2timeline.py", start=start@entry=257, globals=globals@entry=0x7ffff7f5f168, 
    locals=locals@entry=0x7ffff7f5f168, closeit=closeit@entry=1, flags=flags@entry=0x7fffffffda30) at Python/pythonrun.c:1363
#111 0x00007ffff7ac2294 in PyRun_SimpleFileExFlags (fp=fp@entry=0x635a20, filename=<optimized out>, 
    filename@entry=0x7fffffffe113 "/usr/bin/log2timeline.py", closeit=closeit@entry=1, flags=flags@entry=0x7fffffffda30)
    at Python/pythonrun.c:955
#112 0x00007ffff7ac27ce in PyRun_AnyFileExFlags (fp=fp@entry=0x635a20, 
    filename=filename@entry=0x7fffffffe113 "/usr/bin/log2timeline.py", closeit=closeit@entry=1, flags=flags@entry=0x7fffffffda30)
    at Python/pythonrun.c:759
#113 0x00007ffff7ac9e63 in Py_Main (argc=<optimized out>, argv=0x7fffffffdbe8) at Modules/main.c:640
#114 0x00007ffff7488b05 in __libc_start_main (main=0x400760 <main>, argc=10, argv=0x7fffffffdbe8, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdbd8) at libc-start.c:285
#115 0x000000000040078e in _start () at ../sysdeps/x86_64/start.S:122
joachimmetz commented 9 years ago

What is the last 4.1 in libtsk10-4.1.3-4.1.x86_64 ?

joachimmetz commented 9 years ago

BTW which version of TSK are you using?

In the stock version of sleuthkit-4.1.3, tsk/fs/hfs.c:3257

     free(rawBuf);

Not hfs_file_read_special as your version indicates:

#4 0x00007ffff02c5045 in hfs_file_read_special (a_fs_attr=, a_offset=, 
a_buf=0x7fffdd38d034 "%PDF-1.4\r%\342\343\317\323\r\n480 0 obj\r<>\rendobj\r \rxref\r480 473\r0000000016 00000 n\r\n0000010946 00000 n\r\n0000011190 00000 n\r\n0000011252 "..., 
a_len=) at hfs.c:3257
joachimmetz commented 9 years ago

Forget the last comment, I'm not paying attention ;)

joachimmetz commented 9 years ago

tsk/fs/hfs.c:3007

    // Allocate two buffers of the compression unit size.
    rawBuf = (char *) tsk_malloc(COMPRESSION_UNIT_SIZE);

tsk/fs/hfs.c:3143

uint32_t len = offsetTable[indx].length;

tsk/fs/hfs.c:3156

        // Read in the chunk of compressed data
        attrReadResult = tsk_fs_attr_read(rAttr, offset,
            rawBuf, len, TSK_FS_FILE_READ_FLAG_NONE);

So no bounds check of len here before usage.

tsk/fs/hfs.c:3211

if ((len - 1) > COMPRESSION_UNIT_SIZE) {
   ...
}
memcpy(uncBuf, rawBuf + 1, len - 1);

If len is 0 that will yield to interesting behavior here.

So not unlikely that there is a memory corruption bug here somewhere.

joachimmetz commented 9 years ago

Can you try running valgrind with fls (to be verbose fls -r) on this file system, just to be sure one of these erroneous code paths is triggered.

joachimmetz commented 9 years ago

Filed: https://github.com/sleuthkit/sleuthkit/issues/383

joachimmetz commented 9 years ago

FYI added some basic gdb info to https://sites.google.com/a/kiddaland.net/plaso/developer/troubleshooting, in case it is needed in the future.

joachimmetz commented 9 years ago

Suggested work around:

joachimmetz commented 9 years ago

Marking as wontfix because this appears to be a bug upstream.

gregfreemyer commented 9 years ago

Looks like you found what you need, but I'll try to answer all here anyway:

What is the last 4.1 in libtsk10-4.1.3-4.1.x86_64 ?

Just a internal build number. Apparently I have commited the spec file or other item 4 times. And that spec file was used one time to build the library.

BTW which version of TSK are you using?

sleuthkit-4.1.3-4.1.x86_64

Filed: sleuthkit/sleuthkit#383

Great

Can you try running valgrind with fls on this file system, just to be sure one of these erroneous code paths is triggered.

I'll give it a shot, but I've never used valgrind.

Suggested work around: mount the file system with the Linux hfs drivers run log2timeline on the mount point

I'll do that, thanks

joachimmetz commented 9 years ago

Looks like you found what you need

Largely yes, but having valgrind confirm it would be nice ;)

gregfreemyer commented 9 years ago

Largely yes, but having valgrind confirm it would be nice ;)

I've been valgrinding for 2 hours. I hope all I needed to do was:

valgrind fls -o 409640 -r CU01/AV155_CU01C1.E01

joachimmetz commented 9 years ago

Yes that is fine for now, see if it mentions memory corruption errors.

gregfreemyer commented 9 years ago

I don't know what you expected it to output, but here's the results.

Note 1: This was a 1TB image that compressed down to 500 GB, thus relatively large. It is from an actual case, so the mix of data is unknown.

Note 2: it took about 12 hours to run through, so I can try with different valgrind options overnight tonight if you like.

> valgrind  fls -o 409640 -r CU01/*.E01 > valgrind-fls.out
==29226== Memcheck, a memory error detector
==29226== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29226== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==29226== Command: fls -o 409640 -r CU01/AV155_CU01C1.E01
==29226== 
==29226== 
==29226== HEAP SUMMARY:
==29226==     in use at exit: 1,344,109,921 bytes in 1,008,643 blocks
==29226==   total heap usage: 140,158,148 allocs, 139,149,505 frees, 1,233,199,851,360 bytes allocated
==29226== 
==29226== LEAK SUMMARY:
==29226==    definitely lost: 1,315,625,139 bytes in 1,002,502 blocks
==29226==    indirectly lost: 28,353,795 bytes in 6,124 blocks
==29226==      possibly lost: 127,907 bytes in 16 blocks
==29226==    still reachable: 3,080 bytes in 1 blocks
==29226==         suppressed: 0 bytes in 0 blocks
==29226== Rerun with --leak-check=full to see details of leaked memory
==29226== 
==29226== For counts of detected and suppressed errors, rerun with: -v
==29226== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
joachimmetz commented 9 years ago

I don't know what you expected it to output, but here's the results.

Not really, was hoping to see invalid read/write warnings. So maybe the bug is triggered somewhere else. I try to think of alternative trouble shooting options.

It is from an actual case, so the mix of data is unknown

That's why I asked you to run fls ;) Limit the test to the file system first.

it took about 12 hours to run through

Yes running with valgrind is not the fastest option, but then again it is thorough in what it supposed to do, namely checking for memory errors.

gregfreemyer commented 9 years ago

My impression is it happens in the first hour or two of log2timeline.py processing.

What if over the weekend I start it up and let it run. Even inside valgrind it should get that far by Monday. Then if I see the stacktrace I just kill valgrind?

If that is what is desired, please let me know the valgrind options you want me to run it with.

joachimmetz commented 9 years ago

The problem with running python in valgrind is that it will give a lot of noise because how the Python memory allocator works. It is possible that valgrind prevents the stack trace from happening. You can give it a try, but store it in a log file since there will probably a lot of log messages.

joachimmetz commented 9 years ago

Needs further analysis and likely a fix in libtsk.

kiddinn commented 9 years ago

is this something we want to continue having open as a plaso issue or should we close this as this is most likely an issue with TSK?

joachimmetz commented 9 years ago

Closing this one, already marked as wontfix.