log2timeline processing troubleshoot

[Kaitlyn Kelly]

Hi,

Does anyone know how to make plaso run more efficiently. I have a 500Gb image that I ran using log2timeline.exe --workser 2  output.plaso "path to .E01"
I'm using windows 7 and plaso 1.3.0. Right now its taking over 1 hr to run and hasn't finished yet. If anyone can point me in the right direction, would appreciate it.

Thanks,

Kaitlyn

[Andrew Kempster]

Hi Kaitlyn,

Personally, I've seen images smaller than that taking a lot longer. It depends on what kind of data is being processed. 

How many cores do you have available on your system? I see you're limiting it to two. Is there a particular reason for that?

Thanks,

Andrew

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Joachim Metz]

> Does anyone know how to make plaso run more efficiently.

This depends on numerous factors?

* 1 we recommend running the latest version of plaso, seeing we are nearing a 1.5 RC I opt to wait for the RC or at least try 1.4

* 2. try "workers" instead of "workser"

* if you are running plaso without specifying which parsers and expecting quick results, change your tactics, also read: FYI: http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html

* sometimes mounting the E01 with ewfmount can speed things up, depends on the amount of memory available

* general tip, improve system resources, more CPUs, more memory, read and write from fast disks (SSD), etc.

On Mon, Aug 8, 2016 at 7:54 PM, Andrew Kempster <and.ke...@gmail.com> wrote:

Hi Kaitlyn,

Personally, I've seen images smaller than that taking a lot longer. It depends on what kind of data is being processed. 

How many cores do you have available on your system? I see you're limiting it to two. Is there a particular reason for that?

Thanks,

Andrew

On 8 Aug 2016, at 18:21, Kaitlyn Kelly <kateke...@gmail.com> wrote:

Hi,

Does anyone know how to make plaso run more efficiently. I have a 500Gb image that I ran using log2timeline.exe --workser 2  output.plaso "path to .E01"
I'm using windows 7 and plaso 1.3.0. Right now its taking over 1 hr to run and hasn't finished yet. If anyone can point me in the right direction, would appreciate it.

Thanks,

Kaitlyn

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.
To post to this group, send email to log2timeline-discuss@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.
To post to this group, send email to log2timeline-discuss@googlegroups.com.

[and.ke...@gmail.com]

What Joachim said. 

Also, if you remove the 'workers' switch (so run without invoking 'workers=2') it will use all system cores minus two (I think), so in your case it'll run with 30 cores (if I'm wrong, please somebody correct me). That's a massive jump on what you're using now, and you should see a huge improvement. 

But also follow Joachim's suggestions. 

A

Sent from my iPad

[Kaitlyn Kelly]

Thanks everyone for the help. I had one (hopefully) last question regarding psort. When i try running it against the output.plaso file and trying to output elastic format:

I get a Unsuported output format: elastic

Command: psort.exe -o elastic output.plaso

To post to this group, send email to log2timeli...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.

To post to this group, send email to log2timeli...@googlegroups.com.

[Joachim Metz]

> I get a Unsuported output format: elastic

That's because it is an optional output module

psort.exe -o list

should show you it is disabled.

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsubscrib...@googlegroups.com.

To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsubscrib...@googlegroups.com.

[Kaitlyn Kelly]

I'm seeing it under the disabled section. Is there a way to enable it?

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.

To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-discuss+unsub...@googlegroups.com.

[sandeepak Harddy]

Hi,

i am very new to log2timeline and psort tools.

I want to install and use these tools in windows OS .can you let me know that how i can do it.

Actually i try to install development release module of log2timeline and plaso by using the step given by github but it does not work.

please reply me.if you know regarding that.

[Joachim Metz]

Seeing you are new to plaso I opt to stick with the packaged release version.

Some links to get you stared:
https://github.com/log2timeline/plaso/wiki/Users-Guide#how-to-get-started
https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release

> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to log2timeline-dis...@googlegroups.com.

[sandeepak Harddy]

thanks for reply me.

I try to work with package release version.I download the plaso-1.5.1-win32-vs2008.zip file and extract it and download and install  the corresponding Visual C++ Redistributable package .then i try to run the tools like image_export,log2timeline,pinfo and psort tools from Visual c++ cmd prompt and it shows error Missing source path.

can you let me know that how can i use these tools.

 

> email to log2timeline-discuss+unsub...@googlegroups.com.

[Joachim Metz]

It's on the wiki, for example
https://github.com/log2timeline/plaso/wiki/Using-log2timeline

On Wed, Oct 4, 2017 at 12:05 PM, sandeepak Harddy

>> > email to log2timeline-dis...@googlegroups.com.

>> > To post to this group, send email to log2timeli...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups
> "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to log2timeline-dis...@googlegroups.com.