acstore pre-release causing AttributeError: 'SQLiteStorageFile' object has no attribute '_CONTAINER_SCHEMA_TO_SQLITE_TYPE_MAPPINGS'

[Hellboy7]

Hi Team,

I have successfully installed plaso in virtual environment using this link as reference: https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html#install-plaso-contained-within-a-virtual-environment

I collected MacOS forensic collection using UAC: https://github.com/tclahr/uac and the output file format is ".tar.gz"

Now, I am trying to create "Super Timeline creation" using plaso and I landed up in error as mentioned below.

Plaso Commands I used: log2timeline --storage-file evidence/sri.plaso evidence/uac-srinivas.shankar-GH0WQDNH7G-macos-20240408134809.tar.gz

Error: Refer screenshot for complete information

Traceback (most recent call last):
  File "/Users/srinivas.shankar/plaso_env1/bin/log2timeline", line 33, in <module>
    sys.exit(load_entry_point('plaso==20240308', 'console_scripts', 'log2timeline')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/plaso-20240308-py3.11.egg/plaso/scripts/log2timeline.py", line 81, in Main
    tool.ExtractEventsFromSources()
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/plaso-20240308-py3.11.egg/plaso/cli/extraction_tool.py", line 754, in ExtractEventsFromSources
    processing_status = self._ProcessSource(session, storage_writer)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/plaso-20240308-py3.11.egg/plaso/cli/extraction_tool.py", line 555, in _ProcessSource
    storage_writer.UpdateAttributeContainer(session)
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/plaso-20240308-py3.11.egg/plaso/storage/writer.py", line 218, in UpdateAttributeContainer
    self._store.UpdateAttributeContainer(container)
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/acstore/interface.py", line 226, in UpdateAttributeContainer
    self._WriteExistingAttributeContainer(container)
  File "/Users/srinivas.shankar/plaso_env1/lib/python3.11/site-packages/plaso-20240308-py3.11.egg/plaso/storage/sqlite/sqlite_file.py", line 304, in _WriteExistingAttributeContainer
    elif data_type not in self._CONTAINER_SCHEMA_TO_SQLITE_TYPE_MAPPINGS:
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'SQLiteStorageFile' object has no attribute '_CONTAINER_SCHEMA_TO_SQLITE_TYPE_MAPPINGS'

How to solve this error?

[joachimmetz]

Downgrade your version of acstore to the release (not-prerelease), alternatively upgrade your version of Plaso to the development version. Unfortunately PyPI has no concepts of pre-releases.

[Hellboy7]

@joachimmetz

How to downgrade the version of acstore? and how to upgrade version of Plaso to the development version? Is there docs for it to reference? because I am not much knowledge on programming side.

Appreciate you support and guide so far.

[joachimmetz]

How to downgrade the version of acstore? and how to upgrade version of Plaso to the development version?

We provide a Docker image for people less comfortable with debugging installation issues. I strongly recommend using that instead. I'll add a warning to https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html#install-plaso-contained-within-a-virtual-environment

Have a look at the pip documentation how to install a specific version

[joachimmetz]

Also extracting the .tar.gz before you process it with plaso might be more efficient.

[Hellboy7]

Hi @joachimmetz

As recommended, I am using docker image of plaso and I ran below commands for UAC output file (uac-mac.tar.gz) which is 2.08 GB.

docker run --platform linux/amd64 -v /tmp:/tmp log2timeline/plaso:latest log2timeline --storage-file /tmp/evidence.plaso /tmp/uac-mac.tar.gz

Its running for more than 1 days now and still not finished yet, at present output file of 'evidence.plaso' is 18.48 GB. I don't know whats going on here? is something wrong? Please check the screenshots

[joachimmetz]

I think the issue might be caused trying to run directly from the tar file.

I assume the tar back-end might be consuming more memory than allowed by the default limit. The log files typically should give you more details. The screenshot do not provide me with sufficient information. Also see: https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html

Try extracting the .tar.gz before you process it with plaso, as I hinted at in the previous comment

[Hellboy7]

@joachimmetz I guess its working fine now with below commands I believe and waiting for to complete. I will update status of completion with success or error. But I do have one more question, how to read this --log-file=log2timeline_problem.log.gz file for errors to troubleshoot? share the commands if you can that would be great help?

docker run --platform linux/amd64 -v /tmp:/tmp log2timeline/plaso:latest log2timeline --log-file=log2timeline_problem.log.gz --debug --parsers macos --storage-file /tmp/evidence.plaso /tmp/uac-sri.tar

Thanks for the support so far.

[joachimmetz]

But I do have one more question, how to read this --log-file=log2timeline_problem.log.gz file for errors to troubleshoot? share the commands if you can that would be great help?

these are gzip compressed text files, just use zcat (or equiv) or if you set --log-file=log2timeline_problem.log (without the .gz) it will be a plain text log, but those can become quite large