plaso: imphash bytes attribute generated by 20191203 no longer supported by 20200430

Description of problem:

When I want to output the result of a Plaso storage file to a timesketch format, I almost instantly got the error “imphash of type bytes is not supported”

Command line and arguments:

psort.py -d -o timesketch -z Europe/Paris --status_view window /home/data/file.plaso

I also tried to output a file with the -w argument, withe the same result.

Source data:

I made a plaso storage file from an E01 image of a windows server machine.

Plaso version:

20200430

Operating system Plaso is running on:

It is the Timesketch docker version running on Tsurugi Linux

Installation method:

Installed from Docker

Debug output/tracebacks:

plaso - psort version 20200430

Storage file		: /home/data/file.plaso
Processing time		: 00:00:03

Events:         Filtered        In time slice   Duplicates      MACB grouped    Total
                0               0               0               131             4765647

Identifier              PID     Status          Memory          Events          Tags            Reports
Main                    106     exporting       547.8 MiB       138 (138)       0 (0)           0 (0)

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 518, in _DeserializeAttributeContainer
    attribute_container = self._serializer.ReadSerialized(serialized_string)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 400, in ReadSerialized
    return cls.ReadSerializedDict(json_dict)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 419, in ReadSerializedDict
    json_object = cls._ConvertDictToObject(json_dict)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 243, in _ConvertDictToObject
    'supported.').format(attribute_name))
ValueError: Event data attribute value: imphash of type bytes is not supported.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/psort.py", line 95, in <module>
    if not Main():
  File "/usr/bin/psort.py", line 72, in Main
    tool.ProcessStorage()
  File "/usr/lib/python3/dist-packages/plaso/cli/psort_tool.py", line 571, in ProcessStorage
    time_slice=self._time_slice, use_time_slicer=self._use_time_slicer)
  File "/usr/lib/python3/dist-packages/plaso/multi_processing/psort.py", line 1007, in ExportEvents
    use_time_slicer=use_time_slicer)
  File "/usr/lib/python3/dist-packages/plaso/multi_processing/psort.py", line 488, in _ExportEvents
    event_data_identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/file_interface.py", line 308, in GetEventDataByIdentifier
    return self._storage_file.GetEventDataByIdentifier(identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 262, in GetEventDataByIdentifier
    self._CONTAINER_TYPE_EVENT_DATA, identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/sqlite/sqlite_file.py", line 262, in _GetAttributeContainerByIdentifier
    container_type, identifier.row_identifier - 1)
  File "/usr/lib/python3/dist-packages/plaso/storage/sqlite/sqlite_file.py", line 303, in _GetAttributeContainerByIndex
    container_type, serialized_data)
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 525, in _DeserializeAttributeContainer
    raise IOError('Unable to read serialized data: {0!s}'.format(exception))
OSError: Unable to read serialized data: Event data attribute value: imphash of type bytes is not supported.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

How could I do that ?

This was a note to self 😉

+1
joachimmetz on Jun 2, 2020
Read more comments on GitHub
← dfvfs: Failure during test: 'pytsk3.TSK_FS_INFO' object has no attribute 'ftype'
plaso: Process completes but does not exit (leaving stranded workers) →