Please fix the error in log2timeline!

1,313 views
Skip to first unread message

greyson

unread,
Oct 11, 2017, 4:08:27 AM10/11/17
to log2timeline-discuss
I tried to make a plaso file from the E01 file. But ERROR: Unable to determine path to artifact definitions. It will not run with these errors. 
The version is plaso - log2timeline version 20170930. 
The command log2timeline.py -z Asia / Seoul /home/kim/Desktop/test.plaso '/home/kim/Desktop/tsk.E01'.
thank you

Joachim Metz

unread,
Oct 11, 2017, 5:39:17 AM10/11/17
to greyson, log2timeline-discuss
Just tell log2timeline.py where to find the artifact defintions with
the "--artifact-definitions" option
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to log2timeline-dis...@googlegroups.com.
> To post to this group, send email to log2timeli...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

greyson

unread,
Oct 19, 2017, 1:00:32 AM10/19/17
to log2timeline-discuss

log2timeline.py --artifact_definitions '/home/kim/Desktop/tsk.E01' I typed this: ERROR: Missing required artifact definition: LinuxPasswdFile

2017년 10월 11일 수요일 오후 6시 39분 17초 UTC+9, Joachim Metz 님의 말:
Just tell log2timeline.py where to find the artifact defintions with
the "--artifact-definitions" option



On Wed, Oct 11, 2017 at 10:08 AM, greyson <jungo...@gmail.com> wrote:
> I tried to make a plaso file from the E01 file. But ERROR: Unable to
> determine path to artifact definitions. It will not run with these errors.
> The version is plaso - log2timeline version 20170930.
> The command log2timeline.py -z Asia / Seoul /home/kim/Desktop/test.plaso
> '/home/kim/Desktop/tsk.E01'.
> thank you
>
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

Joachim Metz

unread,
Oct 19, 2017, 1:24:27 AM10/19/17
to greyson, log2timeline-discuss
You forgot to specify the PATH_TO_ARTIFACTS

log2timeline.py --artifact_definitions PATH_TO_ARTIFACTS
'/home/kim/Desktop/tsk.E01'

On Thu, Oct 19, 2017 at 7:00 AM, greyson <jungo...@gmail.com> wrote:
>
> log2timeline.py --artifact_definitions '/home/kim/Desktop/tsk.E01' I typed
> this: ERROR: Missing required artifact definition: LinuxPasswdFile
>
> 2017년 10월 11일 수요일 오후 6시 39분 17초 UTC+9, Joachim Metz 님의 말:
>>
>> Just tell log2timeline.py where to find the artifact defintions with
>> the "--artifact-definitions" option
>>
>>
>>
>> On Wed, Oct 11, 2017 at 10:08 AM, greyson <jungo...@gmail.com> wrote:
>> > I tried to make a plaso file from the E01 file. But ERROR: Unable to
>> > determine path to artifact definitions. It will not run with these
>> > errors.
>> > The version is plaso - log2timeline version 20170930.
>> > The command log2timeline.py -z Asia / Seoul /home/kim/Desktop/test.plaso
>> > '/home/kim/Desktop/tsk.E01'.
>> > thank you
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "log2timeline-discuss" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to log2timeline-dis...@googlegroups.com.
>> > To post to this group, send email to log2timeli...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to log2timeline-dis...@googlegroups.com.

greyson

unread,
Oct 22, 2017, 9:44:56 PM10/22/17
to log2timeline-discuss

--artifact_definitions PATH_TO_ARTIFACTS does not mean anything. After logging2timeline.py, you can specify a plaso file named test.plaso at random, and place the E01 file you want to parse after it. For example log2timeline test.plaso '/home/kim/Desktop/tsk.E01' And can not you get a Windows-parsed plaso file into timesketch on Linux?

thank ou

2017년 10월 19일 목요일 오후 2시 24분 27초 UTC+9, Joachim Metz 님의 말:
You forgot to specify the PATH_TO_ARTIFACTS

log2timeline.py --artifact_definitions PATH_TO_ARTIFACTS
'/home/kim/Desktop/tsk.E01'

On Thu, Oct 19, 2017 at 7:00 AM, greyson <jungo...@gmail.com> wrote:
>
> log2timeline.py --artifact_definitions '/home/kim/Desktop/tsk.E01' I typed
> this: ERROR: Missing required artifact definition: LinuxPasswdFile
>
> 2017년 10월 11일 수요일 오후 6시 39분 17초 UTC+9, Joachim Metz 님의 말:
>>
>> Just tell log2timeline.py where to find the artifact defintions with
>> the "--artifact-definitions" option
>>
>>
>>
>> On Wed, Oct 11, 2017 at 10:08 AM, greyson <jungo...@gmail.com> wrote:
>> > I tried to make a plaso file from the E01 file. But ERROR: Unable to
>> > determine path to artifact definitions. It will not run with these
>> > errors.
>> > The version is plaso - log2timeline version 20170930.
>> > The command log2timeline.py -z Asia / Seoul /home/kim/Desktop/test.plaso
>> > '/home/kim/Desktop/tsk.E01'.
>> > thank you
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "log2timeline-discuss" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > To post to this group, send email to log2timeli...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

Joachim Metz

unread,
Oct 24, 2017, 2:42:32 AM10/24/17
to greyson, log2timeline-discuss
I think your translation is messed up. I'm not understanding what
you're asking and you don't seem to understand what I'm telling you.
>> >> > email to log2timeline-dis...@googlegroups.com.
>> >> > To post to this group, send email to log2timeli...@googlegroups.com.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "log2timeline-discuss" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to log2timeline-dis...@googlegroups.com.
>> > To post to this group, send email to log2timeli...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to log2timeline-dis...@googlegroups.com.

4033...@live.napier.ac.uk

unread,
Nov 27, 2017, 11:28:34 AM11/27/17
to log2timeline-discuss
Also encountering this error after manually specifying the --artifact_definitions file.

mike@kali:~/plaso$ log2timeline.py -V

plaso - log2timeline version 20171124

mike@kali:~/plaso$ 


mike@kali:~$ log2timeline.py --artifact_definitions /usr/local/lib/python2.7/dist-packages/plaso-20171124-py2.7.egg/plaso/cli/helpers/artifact_definitions.pyc --parsers win_gen,winxp,winxp_slow winXP2.plaso transfer/winXP.dd

ERROR: Missing required artifact definition: LinuxPasswdFile


usage: log2timeline.py [-h] [-V] [--artifact_definitions PATH] [--data PATH]

                       [--preferred_year YEAR] [-p] [--process_archives]

                       [--skip_compressed_streams] [-f FILE_FILTER]

                       [--hasher_file_size_limit SIZE] [--hashers HASHER_LIST]

                       [--parsers PARSER_LIST] [--yara_rules PATH]

                       [--partition PARTITION] [--partitions PARTITIONS]

                       [--offset IMAGE_OFFSET] [--ob IMAGE_OFFSET_BYTES]

                       [--sector_size BYTES_PER_SECTOR] [-z TIMEZONE]

                       [--no_vss] [--vss_only] [--vss_stores VSS_STORES]

                       [--credential TYPE:DATA] [-d] [-q] [--info]

                       [--use_markdown] [--no_dependencies_check]

                       [--logfile FILENAME] [--status_view TYPE] [-t TEXT]

                       [--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE]

                       [--disable_zeromq] [--single_process]

                       [--temporary_directory DIRECTORY]

                       [--worker-memory-limit SIZE] [--workers WORKERS]

                       [--sigsegv_handler] [--profilers PROFILERS_LIST]

                       [--profiling_directory DIRECTORY]

                       [--profiling_sample_rate SAMPLE_RATE]

                       [--storage_format FORMAT]

                       [STORAGE_FILE] [SOURCE]

mike@kali:~$ 


mike@kali:~/plaso$ ./run_tests.py 

Checking availability and versions of dependencies.

[OK] Crypto version: 2.6.1

[OK] artifacts version: 20171107

[OK] bencode

[OK] binplist version: 0.1.5

[OK] certifi version: 2017.11.05

[OK] chardet version: 3.0.4

[OK] construct version: 2.5.3

[OK] dateutil version: 2.6.1

[OK] dfdatetime version: 20171109

[OK] dfvfs version: 20171022

[OK] dfwinreg version: 20170706

[OK] dpkt version: 1.8

[OK] efilter

[OK] future version: 0.16.0

[OPTIONAL] hachoir_core version: 1.3.3.

[OPTIONAL] hachoir_metadata version: 1.3.3.

[OPTIONAL] hachoir_parser version: 1.3.4.

[OK] idna

[OPTIONAL] missing: lzma.

[OK] pefile version: 2017.11.5

[OK] psutil version: 5.0.1

[OK] pybde version: 20170902

[OK] pyesedb version: 20170121

[OK] pyevt version: 20170120

[OK] pyevtx version: 20170122

[OK] pyewf version: 20140608

[OK] pyfsntfs version: 20170315

[OK] pyfvde version: 20170930

[OK] pyfwnt version: 20170115

[OK] pyfwsi version: 20171103

[OK] pylnk version: 20171101

[OK] pymsiecf version: 20170116

[OK] pyolecf version: 20170825

[OK] pyparsing version: 2.1.10

[OK] pyqcow version: 20170222

[OK] pyregf version: 20170130

[OK] pyscca version: 20170205

[OK] pysigscan version: 20170124

[OK] pysmdev version: 20171112

[OK] pysmraw version: 20171105

[OK] pytsk3 version: 20171108

[OK] pytz

[OK] pyvhdi version: 20170223

[OK] pyvmdk version: 20170226

[OK] pyvshadow version: 20170902

[OK] pyvslvm version: 20160110

[OK] requests version: 2.18.1

[OK] six version: 1.11.0

[OK] pysqlite2.dbapi2 version: 3.21.0

[OK] urllib3 version: 1.22

[OK] xlsxwriter version: 0.9.6

[OK] yaml version: 3.12

[OK] yara version: 3.7.0

[OK] zmq version: 16.0.2


Checking availability and versions of test dependencies.

[OK] mock version: 2.0.0

<snip>



Thoughts... how can I help? :)


Mike

Joachim Metz

unread,
Nov 27, 2017, 11:37:02 AM11/27/17
to 4033...@live.napier.ac.uk, log2timeline-discuss
Mike this is working as expected:

log2timeline.py --artifact_definitions
/usr/local/lib/python2.7/dist-packages/plaso-20171124-py2.7.egg/plaso/cli/helpers/artifact_definitions.pyc
--parsers win_gen,winxp,winxp_slow winXP2.plaso transfer/winXP.dd

instead of /usr/local/lib/python2.7/dist-packages/plaso-20171124-py2.7.egg/plaso/cli/helpers/artifact_definitions.pyc
point this to the directory that contains the yaml files

which in your case is possibly /usr/local/share/artifacts/
>>> > email to log2timeline-dis...@googlegroups.com.
>>> > To post to this group, send email to log2timeli...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to log2timeline-dis...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages