Plaso getting stuck while processing E01 Image

[Adarsh]

Hello All,

I was trying to run plaso on windows with E01 image, But at some point it is getting stuck and the cmd prompt becomes not responding. With DD image, its running fine.

Earlier I was running with E01 splitted image, so I thought its getting stuck because of that reason, but the problem continues even with the single E01 image file. I tried with different images on different system but same issue was there.

Please suggest me what should I do to get proper output.

I am running the plaso cmd in following way: log2timeline.exe -Z GMT /.../Outpt.dump  /.../ImageFile.E01

Note:

I am also attaching the screenshots where cmd prompt becoming unresponsive. 

Thanks in Advance

Adarsh

[Joachim Metz]

any tracebacks in the output or indication of a worker suddenly dying?

Also see: https://github.com/log2timeline/plaso/wiki/Troubleshooting

--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kristinn Gudjonsson]

You can also try to mount the disk image and run the tool against the mount point (as an opposed to running it against the disk image) and see if that helps.

What version of the tool are you running? The last release?

And this is also a known issue that we are working on, happens every now and then and we are debugging where the issue(s) lie so that we can fix them,

[Adarsh]

Kristinn,

I am using the last release (v 1.2.0). Even i tried it on SIFT v3.0, and it was same. And Related to mounting I am having a query, like will there be any change in query or what will be the query to run over the mounted.

Joachim,

How can i identify the traceback in the output. I am not aware about it. I just started with this tool, so if you can guide me that will be great.

[Joachim Metz]

> And Related to mounting I am having a query, like will there be any change in query or what will be the query to run over the mounted.

Not sure what you mean, but if you're asking how to run log2timeline.py on the mounted image, volume or file system,

the same as you run log2timeline.py on the image (maybe some other parameters) e.g.

log2timeline.py mounted/ewf1

> How can i identify the traceback in the output. I am not aware about it. I just started with this tool, so if you can guide me that will be great.

It will literally state it is a "Traceback" e.g. 

Traceback (most recent call last):

  File "<stdin>", line 1, in <module>

ValueError: invalid literal for int() with base 10: 'a'

[Adarsh]

Sorry Joachim, I misunderstood the "Traceback" with something else. Now I got it. 

No its not showing anything, its just getting stuck while parsing (as shown in screenshots). If I check under running processes at the same time, its shows its running but on screen its not reflecting any thing, even i left the system to run this for few hours but even that also didn't work. And at the end I have to terminate the cmd prompt forcefully.

[Joachim Metz]

Likely related to https://github.com/log2timeline/plaso/issues/71