I’m running Autopsy 4.19.3 on Windows 10 and I’m unable to run the plaso module against any data source. The logs show this error:
SEVERE: Plaso experienced an error during analysis (data source = Y247388.E01, objId = 1, pipeline id = 3, ingest job id = 2)
java.nio.file.InvalidPathException: Illegal char <:> at index 92: C:\Users\forensics\Documents\Cases\Y247388-New\ModuleOutput\plaso\2022-03-16 15-15-11 GMT-07:00
It looks like the plaso module is trying to create a file or folder with a colon in it from the timezone information. Is there any way to get around this?
On my system, the folder ends up being named “2022-03-23 09-49-59 EDT”. It looks like the format of the time zone may be system dependent. I’ve submitted a bug report. I’m not sure how to get around it unfortunately.
What’s your configuration? That’s the output when I set the timezone as MST in Autopsy, but if I can change something in Windows 10 that would make things easier.
I’ve been trying to run Autopsy Java in Linux, but I now I’m dealing with “Local Solr server did not respond to status request” errors.
Here’s my settings. No clue if changing them will make a difference.
Can you show me a screenshot of the timezones listed in Autopsy when adding a datasource? And also you are running 4.19.3 right?
I’m running from Netbeans at the moment. The timezone pull-down on the options panel shouldn’t matter - that’s only for displaying times within the Autopsy UI. The code creating the Plaso dir doesn’t use it.
Well I changed my region settings to United States from Canada. Same problem. GMT-7:00.
This is frustrating.
out of curiosity, where did you file the bugreport? I posted an issue on github, but I didn’t see anything else there.
Ok, update. I spun up a VM and did a new install of Windows 10, it’s at version 21H2 (Build 19044.1288). I configured it for US regional settings. The issue did not happen in this case.
1 Like
Another update, I had an issue with that previous VM and so crated another with the same settings and windows version, the issue returned. I can’t remember if I had set the timezone in the previous VM though. I am going to test again with different timezone settings. This could be an issue with the timezone set to Yukon time as that timezone was created in the last couple years.
Ok I have done testing with quite a few timezones. I have not tested with any that are ahead of the Eastern Time zone, I started there and worked my way backwards.
The problem is with Daylight time. When the Plaso module in Autopsy is run on a computer in any time zone that doesn’t adjust for daylight time it tries to put a : in the name of the folder in the ModuleOutput. I specifically saw this with Pacific time. When automatically adjust for daylight time was disabled Plaso failed, but it works with it enabled. It failed on any timezone I tested that did not have daylight time (Saskatchewan, Arizona, and Yukon in my testing).
The fix is merged. It will be in the next release.
I’m glad to hear the fix has been merged, I’m just curious what the timeline is for the next release and if it will be released before the switch to daylight standard time for most of North America (2022/11/06). Things are ok currently as I have set my timezone to Pacific which works for the summer and early fall, but will become incorrect as of the switch to standard.
