Comments (6)
orlikoski
commented on July 28, 2024
The likely reason for these errors is that psort is failing to create the SuperTimeline. Try copying and pasting the the psort command that is in the log file into a command shell to see if it is successful. If it is not then I suggest using the statically compiled version of Plaso instead of the dev version.
If you want a quick test of your dev Plaso version you can run "run_tests.py" (included in the Plaso dev build code on github) to make sure that your current build has no errors.
from cdqr.
orlikoski
commented on July 28, 2024
Can you provide the log file so I can look into this in more detail please? Also, did you try the psort command to see if it works by itself? It should be formatted like this, "psort -o l2tcsv filename.db -w supertimeilne.csv" Knowning if that works by itself would help troubleshooting greatly.
from cdqr.
hacker4x
commented on July 28, 2024
Here is log files
Worker_00 (PID: 4728) - events extracted: 3921518 - file: TSK:/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002 - running: True
Worker_01 (PID: 2368) - events extracted: 4756614 - file: TSK:/System Volume Information/EfaSIDat/SYMEFA.DB - running: True
Worker_02 (PID: 4352) - events extracted: 3725294 - file: TSK:/System Volume Information/Syscache.hve - running: True
Worker_03 (PID: 2080) - events extracted: 4563827 - file: TSK:/$Extend/$UsnJrnl:$J - running: True
Processing completed.
[ERROR] Processing stopped early: [Errno 28] No space left on device.
close failed in file object destructor:
IOError: [Errno 28] No space left on device
CDQR Version: 2.01
Using parser: win
Number of cpu cores to use: 4
Source data: E:\image\image01.001
Destination Folder: Results
Database File: Results\image01.001.db
Processing started at: 2016-03-29 18:27:40.806754
Parsing image
"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\log2timeline.exe" "-p" "--partition" "all" "--vss_stores" "all" "--parsers" "appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfirewall,winjob,winrar_mru,winreg,winreg_default" "--hashers" "none" "--workers" "4" "Results\image01.001.db" "E:\image\image01.001"
Parsing ended at: 2016-04-03 13:54:11.562412
Parsing duration was: 4 days, 19:26:30.755658
Creating the SuperTimeline CSV file
"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv" "Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv"
SuperTimeline CSV file is created
Creating the individual reports
from cdqr.
orlikoski
commented on July 28, 2024
I see what the problem is.
"[ERROR] Processing stopped early: [Errno 28] No space left on device.
close failed in file object destructor:
IOError: [Errno 28] No space left on device"
It appears that there was not enough room to write the file. Try a new
output location with more space.
On Mon, Apr 4, 2016, 11:40 PM hacker4x [email protected] wrote:
Here is log files
Worker_00 (PID: 4728) - events extracted: 3921518 - file:
TSK:/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002 -
running: True
Worker_01 (PID: 2368) - events extracted: 4756614 - file: TSK:/System
Volume Information/EfaSIDat/SYMEFA.DB - running: True
Worker_02 (PID: 4352) - events extracted: 3725294 - file: TSK:/System
Volume Information/Syscache.hve - running: True
Worker_03 (PID: 2080) - events extracted: 4563827 - file:
TSK:/$Extend/$UsnJrnl:$J - running: True
Processing completed.[ERROR] Processing stopped early: [Errno 28] No space left on device.
close failed in file object destructor:
IOError: [Errno 28] No space left on device
CDQR Version: 2.01
Using parser: win
Number of cpu cores to use: 4
Source data: E:\image\image01.001
Destination Folder: Results
Database File: Results\image01.001.db
Processing started at: 2016-03-29 18:27:40.806754
Parsing image
"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\log2timeline.exe" "-p"
"--partition" "all" "--vss_stores" "all" "--parsers"
"appcompatcache,bagmru,binary_cookies,ccleaner,chrome_cache,chrome_cookies,chrome_extension_activity,chrome_history,chrome_preferences,explorer_mountpoints2,explorer_programscache,filestat,firefox_cache,firefox_cache2,firefox_cookies,firefox_downloads,firefox_history,google_drive,java_idx,mcafee_protection,mft,mrulist_shell_item_list,mrulist_string,mrulistex_shell_item_list,mrulistex_string,mrulistex_string_and_shell_item,mrulistex_string_and_shell_item_list,msie_zone,msiecf,mstsc_rdp,mstsc_rdp_mru,opera_global,opera_typed_history,prefetch,recycle_bin,recycle_bin_info2,rplog,safari_history,symantec_scanlog,userassist,usnjrnl,windows_boot_execute,windows_boot_verify,windows_run,windows_sam_users,windows_services,windows_shutdown,windows_task_cache,windows_timezone,windows_typed_urls,windows_usb_devices,windows_usbstor_devices,windows_version,winevt,winevtx,winfire
wall,winjob,winrar_mru,winreg,winreg_default" "--hashers" "none"
"--workers" "4" "Results\image01.001.db" "E:\image\image01.001"
Parsing ended at: 2016-04-03 13:54:11.562412
Parsing duration was: 4 days, 19:26:30.755658Creating the SuperTimeline CSV file
"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv"
"Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv"
SuperTimeline CSV file is createdCreating the individual reports
—
You are receiving this because you were assigned.
Reply to this email directly or view it on GitHub
#2 (comment)
from cdqr.
hacker4x
commented on July 28, 2024
"C:\bin\CDQR Winx64 with Plaso MSVC 2010\plaso\psort.exe" "-o" "l2tcsv"
"Results\image01.001.db" "-w" "Results\image01.001.SuperTimeline.csv"
i tries this one but still can create individual report .. but able to generate supertimeline.csv its size is 2.5 GB coz of this i am not able to open it i need individual report .. please help me ..
from cdqr.
orlikoski
commented on July 28, 2024
First make sure you have at least 3GB of space open to create the sub reports. Make sure you have CDQR version 2.01. You can restart cdqr on the same image file and point it at the same results folder. CDQR will prompt you about using the same folder and keeping the existing files. This will take multiple prompts and the default options are to keep all files. Ensure you select the option to keep your existing files. It will use the super timeline you've created to make the individual reports. I highly recommend making a copy of the super timeline and .dB file before doing this.
from cdqr.
Related Issues (20)
- Add Splunk support HOT 2
- Database Filename Issues on Windows HOT 6
- Process not completing HOT 3
- Add support to accept defaults HOT 2
- CDQR Parsing when Timesketch Elastic Search Not running HOT 4
- Manage Timeout HOT 1
- add skip compressed file parameter HOT 6
- Error when Results folder already exists HOT 2
- What's the right way to run dead box collection? HOT 4
- cdqr breaks on unicode characters HOT 5
- Bypass pause at the end of CDQR processing HOT 1
- Add the ability to use plaso filters HOT 1
- Make MFT and USNJRNL Optional HOT 1
- Error when Unknown parser or plugin names HOT 3
- Can't parse zip if hostname contains '-' HOT 13
- Unknown parser or plugin names in element(s): "bash" HOT 3
- ZIP Not Found HOT 1
- CDQR does not parse Windows Event correctly to Kibana HOT 2
- Execution of cdqr.exe requires log2timeline.exe HOT 9
- log2timeline.py: error: unrecognized arguments: Results/artifacts/host1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cdqr.