search

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
332 stars 51 forks source link

Not able to generate individual CSV files help me #2

Closed hacker4x closed 8 years ago

hacker4x commented 8 years ago

Plaso version:

For example 1.4.0 Release

Operating system Plaso is running on:

Windows 7

Installation method:

For example installed from [GiFT][https://launchpad.net/~gift], built using [l2devtools][https://github.com/log2timeline/l2tdevtools], or some other method.

Description of problem:

I got generated .db file but not able to generate individual CSV please help me. Please asap. Please

value out of range [ERROR] Unable to copy 8378110232981209856 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378110232981209856 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378110232981209856 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378110232981209856 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378121015794462777 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378121015794530608 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378121015794661429 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378648688585023858 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378673109732614202 to a datetime object with error: date value out of range [ERROR] Unable to copy 8378677572206928246 to a datetime object with error: date value out of range [ERROR] Unable to copy 8379513036173553264 to a datetime object with error: date value out of range [ERROR] Unable to copy 8399962630399972454 to a datetime object with error: date value out of range [ERROR] Unable to copy 8411810075432968750 to a datetime object with error: date value out of range [ERROR] Unable to copy 8434944808433363510 to a datetime object with error: date value out of range [ERROR] Unable to copy 8439958577042025589 to a datetime object with error: date value out of range [ERROR] Unable to copy 8447053898000436037 to a datetime object with error: date value out of range [ERROR] Unable to copy 8450411854277059429 to a datetime object with error: date value out of range [ERROR] Unable to copy 8458219050600409096 to a datetime object with error: date value out of range [ERROR] Unable to copy 8458219050600409096 to a datetime object with error: date value out of range [ERROR] Unable to copy 8518571447666484596 to a datetime object with error: date value out of range [ERROR] Unable to copy 8583311014230429528 to a datetime object with error: date value out of range [ERROR] Unable to copy 8591754146788160101 to a datetime object with error: date value out of range [ERROR] Unable to copy 8594572151534069614 to a datetime object with error: date value out of range [ERROR] Unable to copy 8594572151534069614 to a datetime object with error: date value out of range [ERROR] Unable to copy 8595128521853384031 to a datetime object with error: date value out of range [ERROR] Unable to copy 8609712713317859328 to a datetime object with error: date value out of range [ERROR] Unable to copy 8609712713317859431 to a datetime object with error: date value out of range [ERROR] Unable to copy 8611808730372752904 to a datetime object with error: date value out of range [ERROR] Unable to copy 8663823465366630521 to a datetime object with error: date value out of range [ERROR] Unable to copy 8666627607517475399 to a datetime object with error: date value out of range [ERROR] Unable to copy 8731018281124574318 to a datetime object with error: date value out of range [ERROR] Unable to copy 8731018281124574318 to a datetime object with error: date value out of range [ERROR] Unable to copy 8735594369897606253 to a datetime object with error: date value out of range [ERROR] Unable to copy 8740091451076981553 to a datetime object with error: date value out of range [ERROR] Unable to copy 8808409356843886948 to a datetime object with error: date value out of range [ERROR] Unable to copy 8808409356843886948 to a datetime object with error: date value out of range [ERROR] Unable to copy 8808409356843886948 to a datetime object with error: date value out of range [ERROR] Unable to copy 8808409356843886948 to a datetime object with error: date value out of range [ERROR] Unable to copy 8808409356843886948 to a datetime object with error: date value out of range [ERROR] Unable to copy 8813848390023104008 to a datetime object with error: date value out of range [ERROR] Unable to copy 8813848390023104008 to a datetime object with error: date value out of range [ERROR] Unable to copy 8813848390023104008 to a datetime object with error: date value out of range [ERROR] Unable to copy 8813848390023104008 to a datetime object with error: date value out of range [ERROR] Unable to copy 8841300321372195078 to a datetime object with error: date value out of range [ERROR] Unable to copy 8939877146065568892 to a datetime object with error: date value out of range [ERROR] Unable to copy 9154526533530086620 to a datetime object with error: date value out of range [ERROR] Unable to copy 9206932593046046216 to a datetime object with error: date value out of range [ERROR] Unable to copy 9240788109554383359 to a datetime object with error: date value out of range [ERROR] Unable to copy 9439857534320624385 to a datetime object with error: date value out of range [ERROR] Unable to copy 9450563123376473031 to a datetime object with error: date value out of range [ERROR] Unable to copy 9523187321566512648 to a datetime object with error: date value out of range [ERROR] Unable to copy 9590061817797748577 to a datetime object with error: date value out of range [ERROR] Unable to copy 9791040504015627805 to a datetime object with error: date value out of range [ERROR] Unable to copy 9797244691458117902 to a datetime object with error: date value out of range [ERROR] Unable to copy 9847734146204471227 to a datetime object with error: date value out of range [ERROR] Unable to copy 9853854227379254513 to a datetime object with error: date value out of range [ERROR] Unable to copy 9894897215608114824 to a datetime object with error: date value out of range [ERROR] Unable to copy 9913299544659576328 to a datetime object with error: date value out of range [ERROR] Unable to copy 9939857530394120056 to a datetime object with error: date value out of range [ERROR] Unable to copy 10083578031867000541 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10108913072317066314 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10223587223576102408 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10240120813717497254 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10338638747030757372 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10393353228237767891 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10488740624457176785 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10646627337393804219 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10711569826296718099 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10770706921350676993 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 10941357210281297416 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11202710936523554971 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11309358565153004693 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11407764457095883251 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11441476671244977672 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11441476671244977672 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11659261648254887637 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11675845096727635881 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 11700491379558871167 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 12212834748250371440 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 12484946163585452748 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 12537763983824454776 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13026051081429436823 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13093039967066734416 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13344385581339849458 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13419619099931288297 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13459082866923749195 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13500498977837386347 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13967528769758019584 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 13977340349366593948 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14024985342528702832 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14117589017205261832 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14303972000890317429 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14670673538803115433 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14794764293904813278 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14893090895897309988 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14909593410259559116 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 14999051346928498082 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 15272740937592059539 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 15416721789605011684 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 15712939374547955685 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 15952641062218334931 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 15956788365783282840 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16044906716129835036 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16060983515880736264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16270856394576843160 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16281855883216718985 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16329604955889501659 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16388456692791771542 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16420201675374301806 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16433156886369758529 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16489706494824587995 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16548111423035854027 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16579708170927926317 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16599966975918121724 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16737837482992651562 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16777773824840613374 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 16847281535263874031 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17022428369045276168 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17090698145525515016 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17348130281417043577 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17391062608280086992 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17678013276618343432 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17678013276618343432 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17678013276618343432 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17678936420003825205 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17681889966300943275 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17854066264658587272 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 17931355049309095432 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18010297785160155912 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18071948832602479032 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18195557796009138387 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18244516511671060495 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18279817475589259264 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18279817475589259372 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18395699398406737657 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18431474510272775688 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18431474510272775688 to a datetime object with error: dat e value out of range [ERROR] Unable to copy 18435099600109551615 to a datetime object with error: dat e value out of range Processing completed.

*** Counter ****

Stored Events : 16967253 Events Included : 16967253

Duplicate Removals : 14346020

C:\Windows\system32>

Source data:

Error in creating Individual CSV report.

orlikoski commented 8 years ago

The likely reason for these errors is that psort is failing to create the SuperTimeline. Try copying and pasting the the psort command that is in the log file into a command shell to see if it is successful. If it is not then I suggest using the statically compiled version of Plaso instead of the dev version.

If you want a quick test of your dev Plaso version you can run "run_tests.py" (included in the Plaso dev build code on github) to make sure that your current build has no errors.

orlikoski commented 8 years ago

Can you provide the log file so I can look into this in more detail please? Also, did you try the psort command to see if it works by itself? It should be formatted like this, "psort -o l2tcsv filename.db -w supertimeilne.csv" Knowning if that works by itself would help troubleshooting greatly.

hacker4x commented 8 years ago

Here is log files

Worker_00 (PID: 4728) - events extracted: 3921518 - file: TSK:/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002 - running: True Worker_01 (PID: 2368) - events extracted: 4756614 - file: TSK:/System Volume Information/EfaSIDat/SYMEFA.DB - running: True Worker_02 (PID: 4352) - events extracted: 3725294 - file: TSK:/System Volume Information/Syscache.hve - running: True Worker_03 (PID: 2080) - events extracted: 4563827 - file: TSK:/$Extend/$UsnJrnl:$J - running: True Processing completed.

[ERROR] Processing stopped early: [Errno 28] No space left on device. close failed in file object destructor: IOError: [Errno 28] No space left on device CDQR Version: 2.01 Using parser: win Number of cpu cores to use: 4 Source data: E:\image\image01.001 Destination Folder: Results Database File: Results\image01.001.db Processing started at: 2016-03-29 18:27:40.806754 Parsing image "C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfirewall,winjob,winrar_mru,winreg,winreg_default" "--hashers" "none" "--workers" "4" "Results\image01.001.db" "E:\image\image01.001" Parsing ended at: 2016-04-03 13:54:11.562412 Parsing duration was: 4 days, 19:26:30.755658

Creating the SuperTimeline CSV file "C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv" "Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv" SuperTimeline CSV file is created

Creating the individual reports

orlikoski commented 8 years ago

I see what the problem is.

"[ERROR] Processing stopped early: [Errno 28] No space left on device. close failed in file object destructor: IOError: [Errno 28] No space left on device"

It appears that there was not enough room to write the file. Try a new output location with more space.

On Mon, Apr 4, 2016, 11:40 PM hacker4x notifications@github.com wrote:

Here is log files

Worker_00 (PID: 4728) - events extracted: 3921518 - file: TSK:/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002 - running: True Worker_01 (PID: 2368) - events extracted: 4756614 - file: TSK:/System Volume Information/EfaSIDat/SYMEFA.DB - running: True Worker_02 (PID: 4352) - events extracted: 3725294 - file: TSK:/System Volume Information/Syscache.hve - running: True Worker_03 (PID: 2080) - events extracted: 4563827 - file: TSK:/$Extend/$UsnJrnl:$J - running: True Processing completed.

[ERROR] Processing stopped early: [Errno 28] No space left on device. close failed in file object destructor: IOError: [Errno 28] No space left on device CDQR Version: 2.01 Using parser: win Number of cpu cores to use: 4 Source data: E:\image\image01.001 Destination Folder: Results Database File: Results\image01.001.db Processing started at: 2016-03-29 18:27:40.806754 Parsing image "C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfire wall,winjob,winrar_mru,winreg,winreg_default" "--hashers" "none" "--workers" "4" "Results\image01.001.db" "E:\image\image01.001" Parsing ended at: 2016-04-03 13:54:11.562412 Parsing duration was: 4 days, 19:26:30.755658

Creating the SuperTimeline CSV file "C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv" "Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv" SuperTimeline CSV file is created

Creating the individual reports

— You are receiving this because you were assigned. Reply to this email directly or view it on GitHub https://github.com/rough007/CDQR/issues/2#issuecomment-205654918

hacker4x commented 8 years ago

"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv" "Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv"

i tries this one but still can create individual report .. but able to generate supertimeline.csv its size is 2.5 GB coz of this i am not able to open it i need individual report .. please help me ..

orlikoski commented 8 years ago

First make sure you have at least 3GB of space open to create the sub reports. Make sure you have CDQR version 2.01. You can restart cdqr on the same image file and point it at the same results folder. CDQR will prompt you about using the same folder and keeping the existing files. This will take multiple prompts and the default options are to keep all files. Ensure you select the option to keep your existing files. It will use the super timeline you've created to make the individual reports. I highly recommend making a copy of the super timeline and .dB file before doing this.