Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

imphash bytes attribute generated by 20191203 no longer supported by 20200430

See original GitHub issue

Description of problem:

When I want to output the result of a Plaso storage file to a timesketch format, I almost instantly got the error “imphash of type bytes is not supported”

Command line and arguments:

psort.py -d -o timesketch -z Europe/Paris --status_view window /home/data/file.plaso

I also tried to output a file with the -w argument, withe the same result.

Source data:

I made a plaso storage file from an E01 image of a windows server machine.

Plaso version:

20200430

Operating system Plaso is running on:

It is the Timesketch docker version running on Tsurugi Linux

Installation method:

Installed from Docker

Debug output/tracebacks:

plaso - psort version 20200430

Storage file		: /home/data/file.plaso
Processing time		: 00:00:03

Events:         Filtered        In time slice   Duplicates      MACB grouped    Total
                0               0               0               131             4765647

Identifier              PID     Status          Memory          Events          Tags            Reports
Main                    106     exporting       547.8 MiB       138 (138)       0 (0)           0 (0)

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 518, in _DeserializeAttributeContainer
    attribute_container = self._serializer.ReadSerialized(serialized_string)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 400, in ReadSerialized
    return cls.ReadSerializedDict(json_dict)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 419, in ReadSerializedDict
    json_object = cls._ConvertDictToObject(json_dict)
  File "/usr/lib/python3/dist-packages/plaso/serializer/json_serializer.py", line 243, in _ConvertDictToObject
    'supported.').format(attribute_name))
ValueError: Event data attribute value: imphash of type bytes is not supported.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/psort.py", line 95, in <module>
    if not Main():
  File "/usr/bin/psort.py", line 72, in Main
    tool.ProcessStorage()
  File "/usr/lib/python3/dist-packages/plaso/cli/psort_tool.py", line 571, in ProcessStorage
    time_slice=self._time_slice, use_time_slicer=self._use_time_slicer)
  File "/usr/lib/python3/dist-packages/plaso/multi_processing/psort.py", line 1007, in ExportEvents
    use_time_slicer=use_time_slicer)
  File "/usr/lib/python3/dist-packages/plaso/multi_processing/psort.py", line 488, in _ExportEvents
    event_data_identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/file_interface.py", line 308, in GetEventDataByIdentifier
    return self._storage_file.GetEventDataByIdentifier(identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 262, in GetEventDataByIdentifier
    self._CONTAINER_TYPE_EVENT_DATA, identifier)
  File "/usr/lib/python3/dist-packages/plaso/storage/sqlite/sqlite_file.py", line 262, in _GetAttributeContainerByIdentifier
    container_type, identifier.row_identifier - 1)
  File "/usr/lib/python3/dist-packages/plaso/storage/sqlite/sqlite_file.py", line 303, in _GetAttributeContainerByIndex
    container_type, serialized_data)
  File "/usr/lib/python3/dist-packages/plaso/storage/interface.py", line 525, in _DeserializeAttributeContainer
    raise IOError('Unable to read serialized data: {0!s}'.format(exception))
OSError: Unable to read serialized data: Event data attribute value: imphash of type bytes is not supported.