Plaso modules not working on autopsy 4.17/4.18

[Jissynacktiv]

Hi there,

having to use autopsy on Linux, I tried to use you Plaso modules. It seems they are both outdated.

My first attempt was to try the Plaso Module:

[REDACTED]/.autopsy/dev/python_modules/Plaso/Plaso.py", line 147, in startUp
    self.log(Level.INFO, "Plaso directory ==> " + self.local_settings.getSetting('Plaso_Directory'))
AttributeError: 'NoneType' object has no attribute 'getSetting'

Looking at #33 I think pretty much all your plugins relying on self.local_settings.getSetting are impacted (thus not working anymore).

I've never coded a plugin for autopsy so I don't know the inner mechanisms but debugging a bit pointed out that PlasoSettingsWithUISettingsPanel(self.settings) populates correctly the local_settings class variable within:

https://github.com/markmckinnon/Autopsy-Plugins/blob/103f59a36774bbe8b276fbdbf226ba385d24c619/Plaso/Plaso.py#L112-L116

But in the subsequent call, local_settings is None:

https://github.com/markmckinnon/Autopsy-Plugins/blob/103f59a36774bbe8b276fbdbf226ba385d24c619/Plaso/Plaso.py#L143-L148

Because I don't really have the time to take a deep dive in autopsy code, my second attempt was to try to use the Plaso Import Module:

I first executed log2timeline.py on command line, then hardcoded paths in Plaso_Import.py (as it faces the same problem as aformentioned) but encountered another problem:

INFO: Running program ==> /usr/local/bin/psort.py -o 4n6time_sqlite -w [REDACTED]/ModuleOutput\Plaso_Import\plaso_import.db3 
[REDACTED]/Plaso/20210623T173814-image.raw.plaso
2021-06-24 10:56:43.326 Plaso_ImportIngestModule process
INFO: Output from run is ==> ERROR: Unsupported output format: 4n6time_sqlite

A look at psort.py shows that it does not support 4n6time_sqlite format anymore:

$ /usr/local/bin/psort.py -o list

******************************** Output Modules ********************************
      Name : Description
--------------------------------------------------------------------------------
   dynamic : Dynamic selection of fields for a separated value output format.
   elastic : Saves the events into an Elasticsearch database.
elastic_ts : Saves the events into an Elasticsearch database for use with
             Timesketch.
      json : Saves the events into a JSON format.
 json_line : Saves the events into a JSON line format.
       kml : Saves events with geography data into a KML format.
    l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
    l2ttln : Extended TLN 7 field | delimited output.
      null : Output module that does not output anything.
     rawpy : native (or "raw") Python output.
       tln : TLN 5 field | delimited output.
      xlsx : Excel Spreadsheet (XLSX) output
--------------------------------------------------------------------------------

psort.py version being:

$ /usr/local/bin/psort.py -V
plaso - psort version 20210606

I don't know how much autopsy core changed since this modules were coded but I guess some other similar problems may be encountered.

[markmckinnon]

What version of Autopsy are you using? Yes, newer versions of Plaso without the 4n6time_sqlite output will not work. The plugin will have parts of it rewritten to support a different output method from psort.

[Jissynacktiv]

I'm using Autopsy 4.18 (release version)

[markmckinnon]

I will take a look at this as time permits.

[Jissynacktiv]

Thanks! And regarding the self.local_settings.getSetting problem, I think it impacts all of your other plugins functioning like this one.