search

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
332 stars 50 forks source link

log2timeline.py: error: unrecognized arguments: Results/artifacts/host1 #59

Open alexzorila opened 2 years ago

alexzorila commented 2 years ago

Hi Alan,

CDQR Version: 20191226 errors out when used with Plaso Version: 20220428. Replicated on Ubuntu 20.04 and Kali 2022.2.

Full Error Output:

user@vm:~/CDQR/src/Results$ cat host1.log 
usage: log2timeline.py [-h] [--troubles] [-V] [--artifact_definitions PATH]
                       [--custom_artifact_definitions PATH] [--data PATH]
                       [--artifact_filters ARTIFACT_FILTERS]
                       [--artifact_filters_file PATH] [--preferred_year YEAR]
                       [--process_archives] [--skip_compressed_streams]
                       [-f FILE_FILTER] [--hasher_file_size_limit SIZE]
                       [--hashers HASHER_LIST]
                       [--parsers PARSER_FILTER_EXPRESSION]
                       [--yara_rules PATH] [--partitions PARTITIONS]
                       [--volumes VOLUMES] [--language LANGUAGE_TAG]
                       [--no_extract_winevt_resources] [-z TIME_ZONE]
                       [--no_vss] [--vss_only] [--vss_stores VSS_STORES]
                       [--credential TYPE:DATA] [-d] [-q] [-u] [--info]
                       [--use_markdown] [--no_dependencies_check]
                       [--logfile FILENAME] [--status_view TYPE] [-t TEXT]
                       [--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE]
                       [--single_process] [--process_memory_limit SIZE]
                       [--temporary_directory DIRECTORY] [--vfs_back_end TYPE]
                       [--worker_memory_limit SIZE] [--worker_timeout MINUTES]
                       [--workers WORKERS] [--sigsegv_handler]
                       [--profilers PROFILERS_LIST]
                       [--profiling_directory DIRECTORY]
                       [--profiling_sample_rate SAMPLE_RATE]
                       [--storage_file PATH] [--storage_format FORMAT]
                       [--task_storage_format FORMAT]
                       [SOURCE]
log2timeline.py: error: unrecognized arguments: Results/artifacts/host1
CDQR Version: 20191226
Plaso Version: 20220428
Using parser: win
Number of cpu cores to use: 4
Destination Folder: Results
Source data: Results/artifacts/host1
Log File: Results/host1.log
Database File: Results/host1.plaso
SuperTimeline CSV File: Results/host1.SuperTimeline.csv

Start time  was: 2022-06-25 18:20:55.086696
Processing started at: 2022-06-25 18:20:55.086861
Parsing image
"log2timeline.py" "--partition" "all" "--vss_stores" "all" "--status_view" "linear" "--parsers" "bash_history,bencode,czip,esedb,filestat,lnk,mcafee_protection,olecf,pe,prefetch,recycle_bin,recycle_bin_info2,sccm,sophos_av,sqlite,symantec_scanlog,winevt,winevtx,webhist,winfirewall,winjob,winreg,zsh_extended_history" "--hashers" "md5" "--workers" "4" "--logfile" "Results/host1_log2timeline.gz" "Results/host1.plaso" "Results/artifacts/host1" "--no_dependencies_check"
ERROR: There was a problem. See details in log.

Thank you for all the work you put into your tools to make forensics more accessible!

Hope this helps, Alex

alexzorila commented 2 years ago

Opened #60 that appends '--storage-file' before plaso db_file in log2timeline command1 variable.