cdqr docker helper doesn't about skadi HOT 4 OPEN

Hi @boingomw,
This is a fantastic question! TL;DR you've already found the recommended solution

Why does it work?
It works because the -v volume mount creates a link between the container and the host machine. If it's a folder then everything in the folder can be seen by the container while if it's a file then only that file can be seen. So the CDQR helper script does -v /tmp/cfreds_2015_data_leakage_pc.E01:/tmp/cfreds_2015_data_leakage_pc.E01 which is just the file but -v /tmp/:/tmp: shares everything in the /tmp folder.

I don't have all of the details but I can take a guess that there is more than one file in that disk image (E01, E02, E03, E0x, etc). The CDQR helper script makes the assumption that what is passed with in:<file or folder> is a file or folder. Now this creates a problem for multiple file disk images as Plaso must be pointed at the first file in the chain, such as filename.E01, for it to process it as a disk image but it is actually comprised of multiple files. If it is pointed at the folder then Plaso assumes it's not a disk image and does basic filestat information on each file in the folder (not really what is wanted in your case by any means but exactly how Plaso should behave). This results in the helper script not being able to handle the request in the way the user is would like.

ALL HOPE IS NOT LOST!
The CDQR helper scripts cannot account for every situation and the reason it prints the docker commands to stdout is to enable everyone to learn how to use the aorlikoski/cdqr docker image in more advanced ways by using the native docker commands when there is a situation it cannot handle.

I'm really happy to see that has helped get you to this point as learning how to use the Docker commands opens amazing and new ways to use aorlikoski/cdqr. You've already found the solution I would recommend and it is something that can be turned into a custom script for personal use (or create a script for the community or add it into the helper script and file a PR to this repo to share with the community!). I'm all about supporting those who want to learn so please keep in touch and happy to help.

from skadi.

I also see that this was based off an example I have in the wiki. I'll take an action to go update that too. In the mean time try this wiki https://github.com/orlikoski/Skadi/wiki/Analyzing-Data-in-Three-Easy-Steps

from skadi.

@boingomw based off the info @orlikoski provided above did it answer your question? We will still work on getting that wiki updated.

Thanks

from skadi.

Yup. it helped, thanks.

from skadi.