log2timeline.py: error: unrecognized arguments: Results/artifacts/host1

[alexzorila]

Hi Alan,

CDQR Version: 20191226 errors out when used with Plaso Version: 20220428. Replicated on Ubuntu 20.04 and Kali 2022.2.

• Error message: "log2timeline.py: error: unrecognized arguments: Results/artifacts/host1"
• Troubleshooting suggests this has to do with the arguments of this version of log2timeline.py that requires '--storage_file' before the path to the Plaso DB is specified.

Full Error Output:

user@vm:~/CDQR/src/Results$ cat host1.log 
usage: log2timeline.py [-h] [--troubles] [-V] [--artifact_definitions PATH]
                       [--custom_artifact_definitions PATH] [--data PATH]
                       [--artifact_filters ARTIFACT_FILTERS]
                       [--artifact_filters_file PATH] [--preferred_year YEAR]
                       [--process_archives] [--skip_compressed_streams]
                       [-f FILE_FILTER] [--hasher_file_size_limit SIZE]
                       [--hashers HASHER_LIST]
                       [--parsers PARSER_FILTER_EXPRESSION]
                       [--yara_rules PATH] [--partitions PARTITIONS]
                       [--volumes VOLUMES] [--language LANGUAGE_TAG]
                       [--no_extract_winevt_resources] [-z TIME_ZONE]
                       [--no_vss] [--vss_only] [--vss_stores VSS_STORES]
                       [--credential TYPE:DATA] [-d] [-q] [-u] [--info]
                       [--use_markdown] [--no_dependencies_check]
                       [--logfile FILENAME] [--status_view TYPE] [-t TEXT]
                       [--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE]
                       [--single_process] [--process_memory_limit SIZE]
                       [--temporary_directory DIRECTORY] [--vfs_back_end TYPE]
                       [--worker_memory_limit SIZE] [--worker_timeout MINUTES]
                       [--workers WORKERS] [--sigsegv_handler]
                       [--profilers PROFILERS_LIST]
                       [--profiling_directory DIRECTORY]
                       [--profiling_sample_rate SAMPLE_RATE]
                       [--storage_file PATH] [--storage_format FORMAT]
                       [--task_storage_format FORMAT]
                       [SOURCE]
log2timeline.py: error: unrecognized arguments: Results/artifacts/host1
CDQR Version: 20191226
Plaso Version: 20220428
Using parser: win
Number of cpu cores to use: 4
Destination Folder: Results
Source data: Results/artifacts/host1
Log File: Results/host1.log
Database File: Results/host1.plaso
SuperTimeline CSV File: Results/host1.SuperTimeline.csv

Start time  was: 2022-06-25 18:20:55.086696
Processing started at: 2022-06-25 18:20:55.086861
Parsing image
"log2timeline.py" "--partition" "all" "--vss_stores" "all" "--status_view" "linear" "--parsers" "bash_history,bencode,czip,esedb,filestat,lnk,mcafee_protection,olecf,pe,prefetch,recycle_bin,recycle_bin_info2,sccm,sophos_av,sqlite,symantec_scanlog,winevt,winevtx,webhist,winfirewall,winjob,winreg,zsh_extended_history" "--hashers" "md5" "--workers" "4" "--logfile" "Results/host1_log2timeline.gz" "Results/host1.plaso" "Results/artifacts/host1" "--no_dependencies_check"
ERROR: There was a problem. See details in log.

Thank you for all the work you put into your tools to make forensics more accessible!

Hope this helps,
Alex

[alexzorila]

Opened #60 that appends '--storage-file' before plaso db_file in log2timeline command1 variable.