Open boingomw opened 4 years ago
Hi @boingomw, This is a fantastic question! TL;DR you've already found the recommended solution
Why does it work?
It works because the -v
volume mount creates a link between the container and the host machine. If it's a folder then everything in the folder can be seen by the container while if it's a file then only that file can be seen. So the CDQR helper script does -v /tmp/cfreds_2015_data_leakage_pc.E01:/tmp/cfreds_2015_data_leakage_pc.E01
which is just the file but -v /tmp/:/tmp:
shares everything in the /tmp
folder.
I don't have all of the details but I can take a guess that there is more than one file in that disk image (E01, E02, E03, E0x, etc). The CDQR helper script makes the assumption that what is passed with in:<file or folder>
is a file or folder. Now this creates a problem for multiple file disk images as Plaso must be pointed at the first file in the chain, such as filename.E01
, for it to process it as a disk image but it is actually comprised of multiple files. If it is pointed at the folder then Plaso assumes it's not a disk image and does basic filestat information on each file in the folder (not really what is wanted in your case by any means but exactly how Plaso should behave). This results in the helper script not being able to handle the request in the way the user is would like.
ALL HOPE IS NOT LOST!
The CDQR helper scripts cannot account for every situation and the reason it prints the docker commands to stdout
is to enable everyone to learn how to use the aorlikoski/cdqr
docker image in more advanced ways by using the native docker commands when there is a situation it cannot handle.
I'm really happy to see that has helped get you to this point as learning how to use the Docker commands opens amazing and new ways to use aorlikoski/cdqr
. You've already found the solution I would recommend and it is something that can be turned into a custom script for personal use (or create a script for the community or add it into the helper script and file a PR to this repo to share with the community!). I'm all about supporting those who want to learn so please keep in touch and happy to help.
I also see that this was based off an example I have in the wiki. I'll take an action to go update that too. In the mean time try this wiki https://github.com/orlikoski/Skadi/wiki/Analyzing-Data-in-Three-Easy-Steps
@boingomw based off the info @orlikoski provided above did it answer your question? We will still work on getting that wiki updated.
Thanks
Yup. it helped, thanks.
cdqr --max_cpu --nohash in:/tmp/cfreds_2015_data_leakage_pc.E01 out:/tmp/results-mormanual
Fails with a "pyewf_handle_read_buffer" error, but running the same command from inside the docker container works. I narrowed it down to this part of the translated docker command:
docker run --network host -v /tmp/cfreds_2015_data_leakage_pc.E01:/tmp/cfreds_2015_data_leakage_pc.E01 -v /tmp/output:/tmp/output --add-host=elasticsearch:127.0.0.1 --add-host=postgres:127.0.0.1 -v /opt/Skadi/Docker/timesketch/timesketch_default.conf:/etc/timesketch.conf aorlikoski/cdqr:5.1.0 -y /tmp/cfreds_2015_data_leakage_pc.E01 /tmp/output
If that is changed to /tmp:/tmp then the command runs.
I haven't looked at the helper file, but the change should be reasonably simple, right?