Plaso libvshadow error while accessing drive image
218 views
Skip to first unread message
CShanahan
Nov 2, 2015, 2:22:37 PM11/2/15
to log2timeline-discuss
Hello.
I have been experiencing errors that appear to be related to libvshadow while running Plaso against a drive image, as seen below. Searching online doesn't yield any solutions / help.
The original image is a VMDK file exported from ESX which represents a Win2003 Server system. I have tried the following, but get the same error for each attempt.
Plaso 1.3 stable - the Windows build from a Win8 system and the deb file from a Ubuntu 14.04 system (Plaso stable repo)
Plaso 1.3.1_20151008 - the deb file from a Ubuntu 14.04 system (GIFT dev repo)
I tried both versions of Plaso on the original VMDK file as well as two additional formats (raw image and EWF).
The original image is in tact. What I mean is, the VMDK represents a physical drive with a single NTFS-formatted file system at sector 2048. I can mount and access the file system using a variety of tools and processes, with the exception of Plaso.
Interestingly, I have experienced the same error with another VMDK file from a different system.
Plaso also fails if I mount the file system and run the tool against the mounted file system (X:), though with different errors.
If I can do anything to help narrow down the issue, please don't hesitate to ask. Thanks.
/Chris
I have been experiencing errors that appear to be related to libvshadow while running Plaso against a drive image, as seen below. Searching online doesn't yield any solutions / help.
Enter code here...[INFO] Data files will be loaded from /usr/share/plaso by default.
2015-11-02 10:38:38,044 [WARNING] (MainProcess) PID:24552 <log2timeline> Unable to scan source with error: Unable to open file system with error: pyvshadow_volume_open_file_object: unable to open volume. libvshadow_store_block_read: invalid store block list header identifier. libvshadow_store_descriptor_read_store_header: unable to read store block at offset: 0. libvshadow_volume_open_read: unable to read store: 0 header. libvshadow_volume_open_file_io_handle: unable to read from file IO handle..The original image is a VMDK file exported from ESX which represents a Win2003 Server system. I have tried the following, but get the same error for each attempt.
Plaso 1.3 stable - the Windows build from a Win8 system and the deb file from a Ubuntu 14.04 system (Plaso stable repo)
Plaso 1.3.1_20151008 - the deb file from a Ubuntu 14.04 system (GIFT dev repo)
I tried both versions of Plaso on the original VMDK file as well as two additional formats (raw image and EWF).
The original image is in tact. What I mean is, the VMDK represents a physical drive with a single NTFS-formatted file system at sector 2048. I can mount and access the file system using a variety of tools and processes, with the exception of Plaso.
Interestingly, I have experienced the same error with another VMDK file from a different system.
Plaso also fails if I mount the file system and run the tool against the mounted file system (X:), though with different errors.
If I can do anything to help narrow down the issue, please don't hesitate to ask. Thanks.
/Chris
Joachim Metz
Nov 2, 2015, 3:06:58 PM11/2/15
to CShanahan, log2timeline-discuss
> Interestingly, I have experienced the same error with another VMDK file from a different system.
I don't think this is VMDK related
So win2k3 does not support VSS (volsnap) but has can have the catalog structure within the volume (VSC)
I would be interested in the verbose and debug output of vshadowinfo on the volume
You can mount the VMDK directly with vmdkmount (which is part of libvmdk) and expose a virtual RAW image
In the mean time I'll have a look at some win2k3 images with VSS if time permits.
--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Joachim Metz
Nov 2, 2015, 3:09:05 PM11/2/15
to CShanahan, log2timeline-discuss
Tracking this in: https://github.com/log2timeline/plaso/issues/401
CShanahan
Nov 2, 2015, 4:54:32 PM11/2/15
to log2timeline-discuss, csha...@gmail.com
On Monday, November 2, 2015 at 3:09:05 PM UTC-5, Joachim Metz wrote:
Tracking this in: https://github.com/log2timeline/plaso/issues/401
I'll respond in GitHub. Thanks.
/Chris
Reply all
Reply to author
Forward
0 new messages