No such file or directory log2timeline.py

[glennbarrett]

On a fresh install of CCF_VM 2.2, I am getting an error that there is no such file or directory for log2timeline.py when running the standard cdqr.py command to process a windows zip from CyLR. It looks like the new TimeSketch options aren't part of the documentation, so maybe this command or process has changed somehow but isn't documented?

cdqr@CCF_VM:~$ cdqr.py HOSTNAME.zip -p win --max_cpu -z --es_kb HOSTNAME CDQR Version: 4.0.1 Traceback (most recent call last): File "/usr/local/bin/cdqr.py", line 1585, in main() File "/usr/local/bin/cdqr.py", line 1450, in main p_ver = plaso_version(log2timeline_location) File "/usr/local/bin/cdqr.py", line 884, in plaso_version myproc = subprocess.Popen([log2timeline_location,"--version"],stderr=subprocess.PIPE) File "/usr/lib/python3.5/subprocess.py", line 947, in init restore_signals, start_new_session) File "/usr/lib/python3.5/subprocess.py", line 1551, in _execute_child raise child_exception_type(errno_num, err_msg) FileNotFoundError: [Errno 2] No such file or directory: 'log2timeline.py'

[glennbarrett]

Forgot to note that I had run the update.sh script before trying this.

I just tried again with a fresh VM before the update, and it is working properly. After running the update.sh script, the functionality is broken again.

I noticed as part of the apt upgrade process in the update.sh, the following error is thrown:

Errors were encountered while processing: /var/cache/apt/archives/artifacts-data_20170909-1ppa1\~xenial_all.deb /var/cache/apt/archives/plaso-data_20170930-1ppa1\~xenial_all.deb E: Sub-process /usr/bin/dpkg returned an error code (1) Reading package lists... Done Building dependency tree Reading state information... Done You might want to run 'apt-get -f install' to correct these. The following packages have unmet dependencies: python-artifacts : Depends: artifacts-data but it is not installed python-plaso : Depends: plaso-data but it is not installed E: Unmet dependencies. Try using -f.

I ran an apt-get -f install and it did install more packages successfully, but still did not resolve the broken functionality.

[orlikoski]

Glenn,

Thanks for bringing this up. I'm not able to test for the next couple of days but I will later this week. My guess is that something happened with with plaso apt-get repo and that they are in the process of updating it therefore all of the dependencies aren't aligning at this time. I recommend rolling back to a snapshot of the VM before the update script was run or redeploying the OVF and not running the update.sh script until the Plaso repository is fixed (usually takes a couple to a few days).

Checking the Plaso git it looks like they are in the middle of updating the Linux repo's. https://github.com/log2timeline/plaso/issues/1421

[orlikoski]

The work around for now is to comment out the following lines of the update.sh script

echo "Updating OS" sudo apt-get -y update sudo apt-get -y dist-upgrade sudo apt-get -y autoremove

[orlikoski]

Filed an issue with Plaso Github for upgrading: https://github.com/log2timeline/plaso/issues/1484

[orlikoski]

This is not officially supported yet in CDQR but that support is coming (you can check it out now in the Branch PR002

The final upgrade script for CCF-VM 2.x is:

sudo add-apt-repository -y universe
sudo add-apt-repository -y ppa:gift/stable
sudo apt -y purge python-artifacts python3-artifacts plaso plaso-data plaso-tools python-plaso forensics-all
sudo rm -rf /usr/lib/python2.7/dist-packages/plaso
sudo apt -y -f install
sudo apt -y autoremove
sudo apt -y autoclean
sudo -H pip uninstall PyYAML
sudo -H pip uninstall artifacts

sudo apt -y update;sudo apt-get -y dist-upgrade
sudo apt -y install python-plaso plaso-tools
sudo shutdown -r "now"