Firstly, I just want to say this project is awesome, and has a huge amount of potential, just well done, and keep up the amazing work!
Context: I was trying the project out and tried using the .e01 files from DFIRMadness ("The Case of the Stolen Szechuan Sauce"):
I tried extracting artefacts (Windows Event Logs) from the image, but it kept on failing.
The log file reads as follows:
2025-07-13 10:23:30,220 [WARNING] (MainProcess) PID:21 <tools> This version of plaso is more than 6 months old. We strongly recommend to update it. 2025-07-13 10:23:30,285 [WARNING] (MainProcess) PID:21 <image_export> Unable to scan for a supported file system with error: Unable to scan source with error: Unable to process source path specification with error: OSError('pyewf_handle_read_buffer: unable to read data. libewf_read_io_handle_read_chunk_data: missing chunk data: 368639. libewf_handle_read_buffer: unable to read chunk data: 368639.') Most likely the image format is not supported by the tool.
I'm not sure why this is failing, but one thing that occurred to me was that the .e01 file is multi-part:
- 20200918_0347_CDrive.E01
- 20200918_0347_CDrive.E02
I tried creating my own (single-part) .e01 disk image and the process worked fine.
To replicate:
- Download the "DC01-E01.zip" and try it for yourself.
Other info:
- Running on a Ubuntu 22.04
Firstly, I just want to say this project is awesome, and has a huge amount of potential, just well done, and keep up the amazing work!
Context: I was trying the project out and tried using the .e01 files from DFIRMadness ("The Case of the Stolen Szechuan Sauce"):
I tried extracting artefacts (Windows Event Logs) from the image, but it kept on failing.
The log file reads as follows:
2025-07-13 10:23:30,220 [WARNING] (MainProcess) PID:21 <tools> This version of plaso is more than 6 months old. We strongly recommend to update it. 2025-07-13 10:23:30,285 [WARNING] (MainProcess) PID:21 <image_export> Unable to scan for a supported file system with error: Unable to scan source with error: Unable to process source path specification with error: OSError('pyewf_handle_read_buffer: unable to read data. libewf_read_io_handle_read_chunk_data: missing chunk data: 368639. libewf_handle_read_buffer: unable to read chunk data: 368639.') Most likely the image format is not supported by the tool.I'm not sure why this is failing, but one thing that occurred to me was that the .e01 file is multi-part:
I tried creating my own (single-part) .e01 disk image and the process worked fine.
To replicate:
Other info: