Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question: How to analyse a whole drive

See original GitHub issue

Plaso version: 1.4.0

Operating system Plaso is running on:

Windows 7 x64, run the exes in Cygwin

Installation method: The Windows .zip file

Description of problem:

I really don’t know how to analyse a whole windows drive. I tried many combinations and different versions of how to write a drive letter. PhysicalDriveX didn’t worked either.

I hope you can help me?

Debug output/tracebacks:

localuser@Computername /cygdrive/d/Software/loganalyse
$ ./log2timeline.exe -p -d -z "Europe/Berlin" "G:\Log2Timeline\MTE\imagetest4.palso" H:
2016-06-21 09:00:14,198 [DEBUG] (MainProcess) PID:4064 <extraction_frontend> Starting preprocessing.
2016-06-21 09:00:14,209 [DEBUG] (MainProcess) PID:4064 <extraction_frontend> Preprocessing done.
2016-06-21 09:00:14,209 [DEBUG] (MainProcess) PID:4064 <extraction_frontend> Starting extraction in multi process mode.
'2016-06-21 09:00:14,209 [DEBUG] (MainProcess) PID:4064 <multi_process> Starting processes.'
'WARNING:root:Unhandled exception in collector (PID: 6356).
ERROR:root:'ascii' codec can't decode byte 0xe4 in position 53: ordinal not in range(128)'
Traceback (most recent call last):
  File "plaso\multi_processing\multi_process.py", line 286, in _Main
  File "plaso\engine\collector.py", line 124, in Collect
  File "plaso\engine\collector.py", line 105, in _ProcessPathSpec
  File "plaso\engine\collector.py", line 61, in _ProcessFileSystem
  File "plaso\engine\collector.py", line 327, in Collect
  File "plaso\engine\collector.py", line 260, in _ProcessDirectory
  File "site-packages\dfvfs\vfs\file_entry.py", line 336, in IsAllocated
  File "site-packages\dfvfs\vfs\os_file_entry.py", line 147, in _GetStat
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe4 in position 53: ordinal not in range(128)
2016-06-21 09:00:18,229 [DEBUG] (MainProcess) PID:4064 <multi_process> Processing started.
2016-06-21 09:00:21,739 [ERROR] (MainProcess) PID:4064 <multi_process> Process Collector (PID: 6356) is not functioning correctly. Status code killed.
2016-06-21 09:00:21,739 [WARNING] (MainProcess) PID:4064 <multi_process> Processing aborted with engine error: Collector unexpectedly terminated.
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Stopping extraction processes.
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Process: StorageWriter (PID: 824) has been removed from the monitoring list.
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Process: Worker_00 (PID: 8784) has been removed from the monitoring list.
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Process: Collector (PID: 6356) has been removed from the monitoring list.
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Process: Worker_01 (PID: 2812) has been removed from the monitoring list.
2016-06-21 09:00:21,739 [WARNING] (MainProcess) PID:4064 <multi_process> Terminating process: StorageWriter (PID: 824).
2016-06-21 09:00:21,739 [WARNING] (MainProcess) PID:4064 <multi_process> Terminating process: Worker_00 (PID: 8784).
2016-06-21 09:00:21,739 [WARNING] (MainProcess) PID:4064 <multi_process> Terminating process: Worker_01 (PID: 2812).
2016-06-21 09:00:21,739 [DEBUG] (MainProcess) PID:4064 <multi_process> Emptying queues.
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Waiting for process: StorageWriter (PID: 824).
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Process StorageWriter (PID: 824) stopped.
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Waiting for process: Worker_00 (PID: 8784).
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Process Worker_00 (PID: 8784) stopped.
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Waiting for process: Collector (PID: 6356).
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Process Collector (PID: 6356) stopped.
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Waiting for process: Worker_01 (PID: 2812).
2016-06-21 09:00:21,789 [DEBUG] (MainProcess) PID:4064 <multi_process> Process Worker_01 (PID: 2812) stopped.
Checking availability and versions of plaso dependencies.
[OK]


Source path     : H:\
Source type     : directory

Processing started.
Processing completed with errors.

Source data:

A mounted e01 file with FTK Imager.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Comments:9 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
joachimmetzcommented, Jun 22, 2016

Try:

\\.\PhysicalDrive0
0reactions
joachimmetzcommented, Jul 16, 2016

No update from OP, closing issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Analyze Your Hard Drive & Reduce Disk Space Usage
GSmaniamsmart teaches how to analyze and get a disk space report from your hard drive using WinDirStat to clear up space.
Read more >
15 Data Analysis Questions Examples For Efficient Analytics
Asking the right data analysis questions is crucial for getting accurate, actionable insights from your business data analytics.
Read more >
7 questions about your hard drive that you've always wanted ...
7 questions about your hard drive that you've always wanted to ask · 1. Is data on a formatted drive gone forever? ·...
Read more >
How to check the health of a hard drive - Super User
What tests can I run on this drive to find out how healthy it is? This is the hard drive in question: HITACHI...
Read more >
Ways to improve your computer's performance
Disk Defragmenter runs on a schedule, but you can also analyze and defragment your disks and drives manually. To do this, follow these...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Plaso hangs with error "IndexError: pop from empty list"

Next page

Process completes but does not exit (leaving stranded workers)