Comments on: System Combo Timeline Released http://www.cutawaysecurity.com/blog/archives/767 Cutaway's Observations, Opinions, Rants, Raves, Tantrums, and Tirades Tue, 16 Feb 2010 06:48:31 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: cutaway http://www.cutawaysecurity.com/blog/archives/767/comment-page-1#comment-31222 cutaway Fri, 04 Dec 2009 05:30:12 +0000 http://www.cutawaysecurity.com/blog/?p=767#comment-31222 @Eric, It looks like you are using the same version of Python so I don't think that "subprocess" is a problem. I haven't experienced this problem with other users so far. Perhaps there is a parse error being produced by evtparse.pl and the subprocess' STDERR is not handling it properly. Have you tried running evtparse.pl against your EVT file to see if you get errors? Harlan's EVT scripts usually handle "corrupted" EVT files very well, but there may be some other issue. If you post any error output from evtparse.pl it might help. Thank you, Don C. Weber @Eric,

It looks like you are using the same version of Python so I don’t think that “subprocess” is a problem. I haven’t experienced this problem with other users so far.

Perhaps there is a parse error being produced by evtparse.pl and the subprocess’ STDERR is not handling it properly. Have you tried running evtparse.pl against your EVT file to see if you get errors? Harlan’s EVT scripts usually handle “corrupted” EVT files very well, but there may be some other issue. If you post any error output from evtparse.pl it might help.

Thank you,
Don C. Weber

]]> By: E Gifford http://www.cutawaysecurity.com/blog/archives/767/comment-page-1#comment-31221 E Gifford Fri, 04 Dec 2009 00:42:41 +0000 http://www.cutawaysecurity.com/blog/?p=767#comment-31221 I'm getting this error: $ python syscombotln.py IS080 Traceback (most recent call last): File "syscombotln.py", line 156, in EVTP = sb.Popen(evt_cmd, stdout = sb.PIPE, stderr = sb.PIPE).communicate() File "/usr/lib/python2.5/subprocess.py", line 594, in __init__ errread, errwrite) File "/usr/lib/python2.5/subprocess.py", line 1091, in _execute_child raise child_exception OSError: [Errno 2] No such file or directory I’m getting this error:
$ python syscombotln.py IS080
Traceback (most recent call last):
File “syscombotln.py”, line 156, in
EVTP = sb.Popen(evt_cmd, stdout = sb.PIPE, stderr = sb.PIPE).communicate()
File “/usr/lib/python2.5/subprocess.py”, line 594, in __init__
errread, errwrite)
File “/usr/lib/python2.5/subprocess.py”, line 1091, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

]]> By: Andrew Hay » Blog Archive » links for 2009-12-01 http://www.cutawaysecurity.com/blog/archives/767/comment-page-1#comment-31220 Andrew Hay » Blog Archive » links for 2009-12-01 Tue, 01 Dec 2009 20:04:41 +0000 http://www.cutawaysecurity.com/blog/?p=767#comment-31220 [...] Security Ripcord » Blog Archive » System Combo Timeline Released (tags: timeline forensics tool) Posted in Suggested Blog Reading | var idcomments_acct='90b2fde2bc0dbc10822f063f54ad16cc'; var idcomments_post_id='1180'; var idcomments_post_time='2009-12-01 20:04:27'; var idcomments_post_author='Andrew Hay'; var idcomments_post_title='links+for+2009-12-01'; var idcomments_post_url='http://www.andrewhay.ca/archives/1180'; var commentScriptWrapper = document.createElement("SCRIPT"); commentScriptWrapper.type = "text/javascript"; commentScriptWrapper.src = "http://www.intensedebate.com/js/wordpressTemplateCommentWrapper2.php?acct="+idcomments_acct+"&postid="+idcomments_post_id+"&title="+escape(idcomments_post_title)+"&url="+idcomments_post_url+"&posttime="+idcomments_post_time+"&postauthor="+idcomments_post_author; document.getElementsByTagName("HEAD")[0].appendChild(commentScriptWrapper); [...] [...] Security Ripcord » Blog Archive » System Combo Timeline Released (tags: timeline forensics tool) Posted in Suggested Blog Reading | var idcomments_acct='90b2fde2bc0dbc10822f063f54ad16cc'; var idcomments_post_id='1180'; var idcomments_post_time='2009-12-01 20:04:27'; var idcomments_post_author='Andrew Hay'; var idcomments_post_title='links+for+2009-12-01'; var idcomments_post_url='http://www.andrewhay.ca/archives/1180'; var commentScriptWrapper = document.createElement("SCRIPT"); commentScriptWrapper.type = "text/javascript"; commentScriptWrapper.src = "http://www.intensedebate.com/js/wordpressTemplateCommentWrapper2.php?acct="+idcomments_acct+"&postid="+idcomments_post_id+"&title="+escape(idcomments_post_title)+"&url="+idcomments_post_url+"&posttime="+idcomments_post_time+"&postauthor="+idcomments_post_author; document.getElementsByTagName("HEAD")[0].appendChild(commentScriptWrapper); [...]

]]>