search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.43k stars 595 forks source link

Unable to run Plaso ingest module #7580

Open thenebular opened 2 years ago

thenebular commented 2 years ago

I’m running Autopsy 4.19.3 on Windows 10 and I’m unable to run the plaso module against any data source. The logs show this error:

SEVERE: Plaso experienced an error during analysis (data source = Y247388.E01, objId = 1, pipeline id = 3, ingest job id = 2) java.nio.file.InvalidPathException: Illegal char <:> at index 92: C:\Users\forensics\Documents\Cases\Y247388-New\ModuleOutput\plaso\2022-03-16 15-15-11 GMT-07:00

It looks like the plaso module is trying to create a file or folder with a colon in it from the timezone information, which obviously doesn't work in a windows environment.

thenebular commented 2 years ago

I've done some testing and the issue has to do with the timezone set in windows. Plaso fails with any timezone that does not use daylight savings. this includes just turning off automatically adjust for daylight savings. When testing Eastern, Central, and Pacific worked with auto adjust turned on and failed with it turned of. Saskatchewan, Arizona, and Yukon would always fail, those timezones do not have a daylight option at all.

With daylight turned off the plaso module tries to put a : in the folder name.