Summary
Package plaso is installed along with outdated python dependencies that makes it inconvenient to use its included utilities psteal, log2timeline and psort.
Setup
A fresh install of kali minimal on 2024-10-30, updated and running the following kernel.
┌──(kali㉿host)-[~]
└─$ uname -a
Linux host 6.11.2-amd64 0000001 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64 GNU/Linux
Where the plaso version installed is as follow:
┌──(kali㉿host)-[/]
└─$ dpkg -l *plaso
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-===============-============-============================================
ii plaso 20240409-0kali1 all super timeline all the things -- metapackage
ii python3-plaso 20240409-0kali1 all super timeline all the things -- Python 3
To replicate this issue, one can run psteal against a local system folder, for instance to generate a timeline of path /etc.
See command below:
┌──(kali㉿host)-[~]
└─$ psteal --source /etc -o dynamic -w etc_files.csv
2024-10-30 16:30:38,525 [INFO] (MainProcess) PID:4844 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
WARNING: the version of plaso you are using is more than 6 months old. We
strongly recommend to update it.
Checking availability and versions of dependencies.
[FAILURE] dfdatetime version: 20240220 is too old, 20240330 or later required.
[FAILURE] dfwinreg version: 20211207 is too old, 20240229 or later required.
[OPTIONAL] unable to determine version information for: flor
[OPTIONAL] missing: opensearchpy.
[FAILURE] pyesedb version: 20181229 is too old, 20220806 or later required.
[FAILURE] pyevtx version: 20210525 is too old, 20220724 or later required.
[FAILURE] pyfwsi version: 20181227 is too old, 20240225 or later required.
[FAILURE] pylnk version: 20181227 is too old, 20230716 or later required.
We are greeted with a message stating current python dependencies are outdated. One can use --no-dependencies-check to workaround this issue, yet it would be more convenient to be able to run this tool out of the box.
To pass the dependencies checks, the system python packages can be upgraded using the following commands:
pip install --break-system-packages --ignore-installed -U dfdatetime==20240330
pip install --break-system-packages --ignore-installed -U dfwinreg==20240229
pip install --break-system-packages --ignore-installed -U libesedb-python==20220806
pip install --break-system-packages --ignore-installed -U libevtx-python==20220724
pip install --break-system-packages --ignore-installed -U libfwsi-python==20240225
pip install --break-system-packages --ignore-installed -U liblnk-python==20230716
Once complete, it is possible to run plaso unencumbered:
┌──(root㉿host)-[~]
└─# psteal --source /etc -o dynamic -w etc_files.csv
2024-10-30 16:38:32,356 [INFO] (MainProcess) PID:44034 <artifact_definitions> Determined artifact definitions path: /usr/share/artifacts
WARNING: the version of plaso you are using is more than 6 months old. We
strongly recommend to update it.
Checking availability and versions of dependencies.
[OPTIONAL] unable to determine version information for: flor
[OPTIONAL] missing: opensearchpy.
[OK]
Source path : /etc
Source type : directory
Processing time : 00:00:00
Processing started.
It seems there are two options to fix this issue:
- revert plaso to an earlier version that is compatible with current python dependencies
- upgrade python3 dependencies to match plaso requirements:
As per my understanding, at least the following debian packages would need to be upgraded:
- dfdatetime: python3-dfdatetime which is at version
20240220-2
- dfwinreg python3-dfwinreg which is at version
20211207-0kali2
- pyesedb python3-libesedb which is at version
20181229-3.2
- pyevtx python3-libevtx which is at version
20210525-0kali1
- pyfwsi python3-libfwsi which is at version
20181227-1.2
- pylnk python3-liblnk which is at version
20181227-1.2
Best Regards
Thanks in advance for your help | 
