Title: Post-SANS 608: Troubleshooting Log2timeline on Ubuntu
After recently earning the SANS 608 GIAC Enterprise Incident Response (GEIR) certification, I didn’t want to get complacent. The real world and real incidents won’t stop. Although the SANS FOR608 course provided a structured lab with preloaded evidence, I wanted to engage better with tools in my own space, using real-world data.
For my analysis environment, I decided to use the FOR608 SIFT Ubuntu VM—the Ubuntu-based virtual machine that SANS provides as part of the course. This VM comes pre-loaded with an array of tools and sample evidence files. If you’re considering setting up your own environment, you can download a pre-built VM or build your own using the guide from SANS here.
One thing I recommend before making any modifications or installing additional tools is to take a snapshot of your VM. Running a snapshot means you can revert to a clean state in case you break something, a lifesaver when experimenting with new tools and dependencies. I did this right before installing log2timeline (now called plaso), a powerful tool for creating timelines from various digital artifacts.
Issues with log2timeline and how to troubleshoot them
After installing log2timeline, I attempted to run it, but instead, I encountered an error:
Traceback (most recent call last): File “/usr/bin/log2timeline.py”, line 11, in <module> from plaso.cli import log2timeline_tool File “/usr/lib/python3/dist-packages/plaso/cli/log2timeline_tool.py”, line 12, in <module> from plaso import output # pylint: disable=unused-import File “/usr/lib/python3/dist-packages/plaso/output/__init__.py”, line 5, in <module> from plaso.output import json_line File “/usr/lib/python3/dist-packages/plaso/output/json_line.py”, line 10, in <module> from plaso.output import shared_json File “/usr/lib/python3/dist-packages/plaso/output/shared_json.py”, line 9, in <module> from plaso.serializer import json_serializer File “/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py”, line 18, in <module> from dfvfs.vfs import tsk_file_entry # pylint: disable=unused-import File “/usr/lib/python3/dist-packages/dfvfs/vfs/tsk_file_entry.py”, line 185, in <module> class TSKFileEntry(file_entry.FileEntry): File “/usr/lib/python3/dist-packages/dfvfs/vfs/tsk_file_entry.py”, line 257, in TSKFileEntry pytsk3.TSK_FS_ATTR_TYPE_APFS_COMP_REC, AttributeError: module ‘pytsk3’ has no attribute ‘TSK_FS_ATTR_TYPE_APFS_COMP_REC’
(Use Control-F to see if some of the keywords in your error message match what I got)
My research showed this happens because pytsk3 does not recognize the attribute TSK_FS_ATTR_TYPE_APFS_COMP_REC.
This usually happens when pytsk3 is outdated or incompatible with the current version of plaso or log2timeline.
As SANS had deployed specific versions to make sure everything played nice in the lab, and I was attempting to use the August 27 2024 version, I am not surprised there were errors. Now that I’m done with the course though, I am ok to break things as this is what’s going to happen in my day to day work as well.
Log2timeline is using the python library pytsk3, so my first step was to upgrade it and see what happens. This is done in my home lab, not at work so I am fine with doing upgrades to packages to see if it fixes it. I’m doing this before work and I want to get forensicating!
If it breaks more tools, I can always revert to my snapshot.
Commands I ran to upgrade the library:
pip install –upgrade pytsk3
sudo apt-get update sudo apt-get install –only-upgrade plaso-tools
After this, I ran log2timeline.py again and saw this:
2024-10-31 21:02:54,274 [INFO] (MainProcess) PID:195033 <data_location> Determined data location: /usr/share/plaso
2024-10-31 21:02:54,282 [INFO] (MainProcess) PID:195033 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
ERROR: Missing source path.
usage: log2timeline.py [-h] [–troubles] [-V] [–artifact_definitions PATH] [–custom_artifact_definitions PATH] [–data PATH]
[–artifact_filters ARTIFACT_FILTERS] [–artifact_filters_file PATH] [–preferred_year YEAR]
[–process_archives] [–skip_compressed_streams] [-f FILE_FILTER] [–hasher_file_size_limit SIZE]
[–hashers HASHER_LIST] [–parsers PARSER_FILTER_EXPRESSION] [–yara_rules PATH]
[–partitions PARTITIONS] [–volumes VOLUMES] [–language LANGUAGE_TAG] [–no_extract_winevt_resources]
[-z TIME_ZONE] [–no_vss] [–vss_only] [–vss_stores VSS_STORES] [–credential TYPE:DATA] [-d] [-q] [-u]
[–info] [–use_markdown] [–no_dependencies_check] [–logfile FILENAME] [–status_view TYPE] [-t TEXT]
[–buffer_size BUFFER_SIZE] [–queue_size QUEUE_SIZE] [–single_process] [–process_memory_limit SIZE]
[–temporary_directory DIRECTORY] [–vfs_back_end TYPE] [–worker_memory_limit SIZE]
[–worker_timeout MINUTES] [–workers WORKERS] [–sigsegv_handler] [–profilers PROFILERS_LIST]
[–profiling_directory DIRECTORY] [–profiling_sample_rate SAMPLE_RATE] [–storage_file PATH]
[–storage_format FORMAT] [–task_storage_format FORMAT]
[SOURCE]
SUCCESS! The upgrade worked.
Now to run log2timeline against some images