Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to run log2timeline.py on a new AWS AMI SIFT workstation. #646

Open
EW2025 opened this issue Dec 26, 2024 · 1 comment
Open

Unable to run log2timeline.py on a new AWS AMI SIFT workstation. #646

EW2025 opened this issue Dec 26, 2024 · 1 comment

Comments

@EW2025
Copy link

EW2025 commented Dec 26, 2024

Describe the problem:
My infrastructure team has recently installed a new SIFT workstation from an AMI directly out of the AWS marketplace. I was expecting to be able to use log2timeline.py right out of the box. However, I am being presented with a call stack error when attempting to run log2timeline.

Please provide a clear and detailed description of what the problem is.

I realize that the below is only attempting to run the python with no file or switches, but it does not matter what I attempt to run, even log2timeline.py -h will not execute to give me the help menu information.

sansforensics@ip-*************:/$ log2timeline.py -h
Traceback (most recent call last):
File "/usr/bin/log2timeline.py", line 11, in
from plaso.cli import log2timeline_tool
File "/usr/lib/python3/dist-packages/plaso/cli/log2timeline_tool.py", line 14, in
from plaso.cli import extraction_tool
File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 20, in
from plaso import parsers # pylint: disable=unused-import
File "/usr/lib/python3/dist-packages/plaso/parsers/init.py", line 63, in
from plaso.parsers import text_plugins
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/init.py", line 4, in
from plaso.parsers.text_plugins import android_logcat
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 78, in
class AndroidLogcatTextPlugin(
File "/usr/lib/python3/dist-packages/plaso/parsers/text_plugins/android_logcat.py", line 87, in AndroidLogcatTextPlugin
_INTEGER = pyparsing.Word(pyparsing.nums).set_parse_action(
AttributeError: '_WordRegex' object has no attribute 'set_parse_action'. Did you mean: 'setParseAction'?

To Reproduce:
Install AWS SIFT workstation, connect via SSH and attempt to run log2timeline -h

The version of Plaso you used:
sansforensics@ip-**********:/$ apt-cache showpkg plaso
Package: plaso
Versions:
20201007-2 (/var/lib/apt/lists/us-east-1.ec2.archive.ubuntu.com_ubuntu_dists_jam my_universe_binary-amd64_Packages)
Description Language:
File: /var/lib/apt/lists/us-east-1.ec2.archive.ubuntu.com_ubunt u_dists_jammy_universe_binary-amd64_Packages
MD5: 58eb9a8e184b801f77c2f41f8364007f
Description Language: en
File: /var/lib/apt/lists/us-east-1.ec2.archive.ubuntu.com_ubunt u_dists_jammy_universe_i18n_Translation-en
MD5: 58eb9a8e184b801f77c2f41f8364007f

Reverse Depends:
python3-plaso,plaso 20190131-2~
python3-plaso,plaso 20190131-2~
forensics-all,plaso
Dependencies:
20201007-2 - python3-plaso (2 20201007-2)
Provides:
20201007-2 -
Reverse Provides:

For example: 20171231

The operating system you are running Plaso on (Not the operating system of the image/files you're trying to analyze):

For example: Ubuntu 22.04
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Steps to reproduce the behavior including command line and arguments and output:

First I ran log2timeline.py --help that provided me the following output ...

Please provide the source data you used when you experienced the problem. For publicly available data please provide a URL or path of the source data.
N/A
For example: individual ChromeOS syslog file
N/A

The method you used to install Plaso:
Plaso is configured as part of the pre-packaged aws SIFT ami from the marketplace. I did not install it on this machine.

For example:

installed from [GiFT PPA][https://launchpad.net/~gift] stable track
installed from [GiFT COPR][https://copr.fedorainfracloud.org/coprs/g/gift/] stable track
installed from [l2tbinaries][https://github.com/log2timeline/l2tbinaries] main branch
built using [l2devtools][https://github.com/log2timeline/l2tdevtools]
other, namely ...
If multiple installation methods were used please indicate.

Expected behavior:

A clear and concise description of what you expected to happen.

I expected the python to (in this case) output the switches available. I have this installed on another completely separate Ubuntu desktop and manually installed the SIFT workstation and things are working as expected. I am just unable to replicate the same processing results when using the AWS SIFT ami installation.

Debug output/tracebacks:

You can run log2timeline tools with "-d" to generate debug output, and include anything relevant. Also see: [Producing debug logs][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html#producing-debug-logs]

Please DO NOT provide screenshots, they can be hard to read.

For more information see the [troubleshooting guide][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html]

Additional context

Any other context about the problem here.

@mpilking
Copy link

@EW2025 please see the following issue for likely fixes: #627

To summarize, running sudo python3 -m pip install "pyparsing>=3.0.0" should fix the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants