MFT Parser usage or bug?

[orlikoski]

Hello,

When using just the mft parser against a .vmdk file it returns no results but when run against the extracted $MFT file from that same image it returns ~550MB of results (l2t csv format). This is using the Plaso 1.4 and only the "mft" parser

Examples:

No Results example:
log2timeline.exe -p --partition all --vss_stores all --parsers mft --workers 5 tmp.db "E:\tmp.vmdk"

Restults examples:
log2timeline.exe -p --parsers mft --workers 5 tmp.db "E:\extracted_data$MFT"

Is this how it is supposed to work or is this a bug?

[Onager]

Could you run the first example with -d, and paste some of the output?

[joachimmetz]

Try the parser named mft instead of mtu. --parsers list will provide you a list of available parser names.

[orlikoski]

Sorry, mtu was a typo since I hand copied it over and it was supposed to be mft. I ran the following command (copy/paste this time) and it had 0 results.

plaso\log2timeline.exe -p --partition all --vss_stores all --parsers mft -d tmp.db "E:\VMware VM\Win10 Burner\Win10 Burner.vmdk" 

Checking availability and versions of plaso dependencies.
[OK]


Source path     : E:\VMware VM\Win10 Burner\Win10 Burner.vmdk
Source type     : storage media image

Processing started.
2016-01-26 09:20:50,887 [WARNING] (MainProcess) PID:9868 <extraction_frontend> Appending to an already existing storage file.
2016-01-26 09:20:50,888 [DEBUG] (MainProcess) PID:9868 <extraction_frontend> Starting preprocessing.
2016-01-26 09:20:50,901 [DEBUG] (MainProcess) PID:9868 <extraction_frontend> Preprocessing done.
2016-01-26 09:20:50,903 [DEBUG] (MainProcess) PID:9868 <extraction_frontend> Starting extraction in multi process mode.
2016-01-26 09:20:50,904 [DEBUG] (MainProcess) PID:9868 <multi_process> Starting processes.
2016-01-26 09:20:57,648 [DEBUG] (MainProcess) PID:9868 <multi_process> Processing started.
2016-01-26 09:21:07,678 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/ProgramData/Microsoft/Windows Defender/Scans/mpcache-48BF231E47D7148AAA68A5A51CA443FF498A25DF.bin.79 - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/assembly/NativeImages_v4.0.30319_32/WindowsBase/464659193070de9fd04c4ae11488828d/WindowsBase.ni.dll - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Users/burner/AppData/Local/Microsoft/Windows/PRICache/Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy/3295484897/2504515037.pri - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/INF/bthaudhid.PNF - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/InfusedApps/Packages/microsoft.windowscommunicationsapps_17.6002.42251.0_x64__8wekyb3d8bbwe/HxMail.exe - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/ProgramData/Microsoft/Windows Defender/Definition Updates/Backup/mpavbase.vdm - running: True <running>
2016-01-26 09:21:17,563 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/System32/syskey.exe - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/System32/mos.dll - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/System32/C_1144.NLS - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/System32/CatRoot/{F750E6C3-38EE-11D1-85E5-00C04FC295EE}/Microsoft-OneCore-Connectivity-HID-Package~31bf3856ad364e35~amd64~en-US~10.0.10240.16384.cat - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/System32/DriverStore/FileRepository/net819xp.inf_amd64_d3361f3b3c0caddd/rtl819xp.sys - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/schemas/EAPHost/eapuserpropertiesv1.xsd - running: True <running>
2016-01-26 09:21:27,349 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/SysWOW64/Windows.Web.Diagnostics.dll - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/SysWOW64/MP4SDECD.DLL - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/SystemApps/WindowsFeedback_cw5n1h2txyewy/Assets/FeedbackSplashWideTile.contrast-white_scale-100.png - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/SysWOW64/wbem/en-US/OfflineFilesConfigurationWmiProvider.mfl - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/servicing/Packages/Package_176_for_KB3093266~31bf3856ad364e35~amd64~~10.0.1.4.cat - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/System32/WinBioPlugIns/en-US/winbioStorageadapter.dll.mui - running: True <running>
2016-01-26 09:21:37,190 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-f..truetype-constantia_31bf3856ad364e35_10.0.10240.16384_none_1307adcda466895f/constanz.ttf - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-d..-standarddictionary_31bf3856ad364e35_10.0.10240.16384_none_88858a2c75885c83/IMJPST.DIC - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-c..oactive.lib.cortana_31bf3856ad364e35_10.0.10240.16384_none_875e218ce4977346/request-helpers.js - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_10.0.10240.16384_th-th_5cb1ba7fdc19934d/Windows.Data.TimeZones.th-TH.pri - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-n..pcredentialprovider_31bf3856ad364e35_10.0.10240.16384_none_86e71f132f904e2b/DaOtpCredentialProvider.dll - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.10240.16384_none_3feee55dbf7dcc80/resources.pri - running: True <running>
2016-01-26 09:21:47,161 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/WinSxS/Manifests/amd64_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_10.0.10240.16384_en-us_cbb67dfdef0e23e9.manifest - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/WinSxS/Manifests/amd64_19db6d75ec1e815f120e73a73359f862_31bf3856ad364e35_10.0.10240.16464_none_4148e73b7f749788.manifest - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/WinSxS/FileMaps/$$_system32_configuration_registration_fdfcf6ae03636dbf.cdf-ms - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/WinSxS/Manifests/amd64_microsoft-windows-m..r-library.resources_31bf3856ad364e35_10.0.10240.16384_en-us_db4735f569828f71.manifest - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/WinSxS/Manifests/amd64_windows-defender-service-mpclientetw_31bf3856ad364e35_10.0.10240.16384_none_21244de1b1fb9a49.manifest - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/WinSxS/Catalogs/315054f7b05ddd769d2f4d5775e00bf457788145d2735a9867f685bfc4277ed4.cat - running: True <running>
2016-01-26 09:21:57,155 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_prnms002.inf_31bf3856ad364e35_10.0.10240.16384_none_5a46d818556f13d7/Amd64/FXSRES.DLL - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_netfx4-machine_config_b03f5f7f11d50a3a_4.0.10240.16384_none_38e604cca0bcd7c7/machine.config.default - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-wlansvc_31bf3856ad364e35_10.0.10240.16384_none_a444b4019f936bdc/wlanhlp.dll - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/WinSxS/msil_system.management.automation_31bf3856ad364e35_1.0.0.0_none_6340379543bd8a03/System.Management.Automation.dll - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/WinSxS/wow64_microsoft-windows-twinui-appcore_31bf3856ad364e35_10.0.10240.16412_none_a41f75a829df95ce/twinui.appcore.dll - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/WinSxS/amd64_microsoft-windows-tapi3_31bf3856ad364e35_10.0.10240.16384_none_694923792a3db85f/tapi3.dll - running: True <running>
2016-01-26 09:21:59,664 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Collector (PID: 9280) has completed its processing. Total of 106530 pathspecs extracted
2016-01-26 09:21:59,664 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Collector (PID: 9280) has been removed from the monitoring list.
2016-01-26 09:22:06,802 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:06,802 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are running.
2016-01-26 09:22:06,803 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:06,803 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are running.
2016-01-26 09:22:06,803 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
2016-01-26 09:22:06,805 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:06,805 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are running.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/winsatencode.wmv - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_480_5sec_6mbps_h264.mp4 - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_1080_5sec_10mbps_h264.mp4 - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_1080_5sec_VC1_15mbps.wmv - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/winsat.wmv - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/Installer/5e2ef.msi - running: True <running>
2016-01-26 09:22:15,331 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:15,332 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_01 is parsing.
2016-01-26 09:22:15,332 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_02 is parsing.
2016-01-26 09:22:15,332 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_03 is parsing.
2016-01-26 09:22:15,332 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_04 is parsing.
2016-01-26 09:22:15,332 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_05 is parsing.
2016-01-26 09:22:15,334 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are not running.
2016-01-26 09:22:15,334 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:15,334 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_01 is parsing.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_02 is parsing.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_03 is parsing.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_04 is parsing.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_05 is parsing.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are not running.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Processing incomplete - extraction still in progress.
2016-01-26 09:22:15,335 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:15,336 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_01 is parsing.
2016-01-26 09:22:15,336 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_02 is parsing.
2016-01-26 09:22:15,336 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_03 is parsing.
2016-01-26 09:22:15,336 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_04 is parsing.
2016-01-26 09:22:15,338 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_05 is parsing.
2016-01-26 09:22:15,338 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are not running.
Worker_00 (PID: 9900) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/winsatencode.wmv - running: True <running>
Worker_01 (PID: 9452) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_480_5sec_6mbps_h264.mp4 - running: True <running>
Worker_02 (PID: 1668) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_1080_5sec_10mbps_h264.mp4 - running: True <running>
Worker_03 (PID: 9892) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/Clip_1080_5sec_VC1_15mbps.wmv - running: True <running>
Worker_04 (PID: 9628) - events extracted: 0 - file: TSK:/Windows/Performance/WinSAT/winsat.wmv - running: True <running>
Worker_05 (PID: 6336) - events extracted: 0 - file: TSK:/Windows/Installer/5e2ef.msi - running: True <running>
2016-01-26 09:22:23,891 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:23,891 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_01 is parsing.
2016-01-26 09:22:23,892 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_02 is parsing.
2016-01-26 09:22:23,892 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_03 is parsing.
2016-01-26 09:22:23,894 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_04 is parsing.
2016-01-26 09:22:23,894 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_05 is parsing.
2016-01-26 09:22:23,894 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are not running.
2016-01-26 09:22:23,894 [DEBUG] (MainProcess) PID:9868 <multi_process> Extraction completed.
2016-01-26 09:22:23,894 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_00 is parsing.
2016-01-26 09:22:23,895 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_01 is parsing.
2016-01-26 09:22:23,895 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_02 is parsing.
2016-01-26 09:22:23,895 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_03 is parsing.
2016-01-26 09:22:23,897 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_04 is parsing.
2016-01-26 09:22:23,897 [DEBUG] (MainProcess) PID:9868 <processing_status> Worker_05 is parsing.
2016-01-26 09:22:23,897 [DEBUG] (MainProcess) PID:9868 <processing_status> Workers are not running.
2016-01-26 09:22:23,897 [DEBUG] (MainProcess) PID:9868 <multi_process> Processing completed.
2016-01-26 09:22:23,898 [DEBUG] (MainProcess) PID:9868 <multi_process> Processing stopped.
2016-01-26 09:22:23,898 [DEBUG] (MainProcess) PID:9868 <multi_process> Stopping extraction processes.
2016-01-26 09:22:23,898 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_05 (PID: 6336) has been removed from the monitoring list.
2016-01-26 09:22:23,898 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_02 (PID: 1668) has been removed from the monitoring list.
2016-01-26 09:22:23,898 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_01 (PID: 9452) has been removed from the monitoring list.
2016-01-26 09:22:23,901 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_00 (PID: 9900) has been removed from the monitoring list.
2016-01-26 09:22:23,901 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_03 (PID: 9892) has been removed from the monitoring list.
2016-01-26 09:22:23,901 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: StorageWriter (PID: 10148) has been removed from the monitoring list.
2016-01-26 09:22:23,901 [DEBUG] (MainProcess) PID:9868 <multi_process> Process: Worker_04 (PID: 9628) has been removed from the monitoring list.
2016-01-26 09:22:23,901 [DEBUG] (MainProcess) PID:9868 <multi_process> Emptying queues.
2016-01-26 09:22:23,908 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Collector (PID: 9280).
2016-01-26 09:22:26,171 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Collector (PID: 9280) stopped.
2016-01-26 09:22:26,173 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_05 (PID: 6336).
2016-01-26 09:22:26,348 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_05 (PID: 6336) stopped.
2016-01-26 09:22:26,348 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_02 (PID: 1668).
2016-01-26 09:22:26,364 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_02 (PID: 1668) stopped.
2016-01-26 09:22:26,367 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_01 (PID: 9452).
2016-01-26 09:22:26,371 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_01 (PID: 9452) stopped.
2016-01-26 09:22:26,378 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_00 (PID: 9900).
2016-01-26 09:22:26,381 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_00 (PID: 9900) stopped.
2016-01-26 09:22:26,381 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_03 (PID: 9892).
2016-01-26 09:22:26,382 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_03 (PID: 9892) stopped.
2016-01-26 09:22:26,382 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: StorageWriter (PID: 10148).
2016-01-26 09:22:26,384 [DEBUG] (MainProcess) PID:9868 <multi_process> Process StorageWriter (PID: 10148) stopped.
2016-01-26 09:22:26,384 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_04 (PID: 9628).
2016-01-26 09:22:26,411 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_04 (PID: 9628) stopped.
2016-01-26 09:22:26,411 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Collector (PID: 9280).
2016-01-26 09:22:26,411 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Collector (PID: 9280) stopped.
2016-01-26 09:22:26,411 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_05 (PID: 6336).
2016-01-26 09:22:26,411 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_05 (PID: 6336) stopped.
2016-01-26 09:22:26,413 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_02 (PID: 1668).
2016-01-26 09:22:26,413 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_02 (PID: 1668) stopped.
2016-01-26 09:22:26,413 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_01 (PID: 9452).
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_01 (PID: 9452) stopped.
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_00 (PID: 9900).
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_00 (PID: 9900) stopped.
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_03 (PID: 9892).
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_03 (PID: 9892) stopped.
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: StorageWriter (PID: 10148).
2016-01-26 09:22:26,414 [DEBUG] (MainProcess) PID:9868 <multi_process> Process StorageWriter (PID: 10148) stopped.
2016-01-26 09:22:26,415 [DEBUG] (MainProcess) PID:9868 <multi_process> Waiting for process: Worker_04 (PID: 9628).
2016-01-26 09:22:26,415 [DEBUG] (MainProcess) PID:9868 <multi_process> Process Worker_04 (PID: 9628) stopped.
Processing completed.

[orlikoski]

I ran this next.

plaso\psort.exe -o l2tcsv tmp.db -w test.csv

Processing completed.

*********************************** Counter ************************************
Stored Events : 0
--------------------------------------------------------------------------------

[joachimmetz]

Ack, thanks for reaching out and confirming. This appears to be an issue in the parser selection for file system metadata files. We'll have a look creating a fix.

[orlikoski]

Thanks for confirming I'm not going crazy and can't wait to see the fix. Great tool and I really appreciate the time everyone has put into making it work.

[joachimmetz]

Can you try the current development version.

[orlikoski]

I tried the recent development version and it did not work on an image file but did work on a MFT file. I've attached the log file.

commands:

placct@ubuntu:~/Desktop/test$ log2timeline.py --version
plaso - log2timeline version 1.4.1_20160127

log2timeline.py -p --parsers mft -d test_image.db "/mnt/hgfs/VMWARE/Win10x64/Windows 10 x64.vmdk" --logfile /mnt/hgfs/GitHub/IMAGEFILE_log.log

placct@ubuntu:~/Desktop/test$ psort.py test_image.db -o l2tcsv -w test.csv
Processing completed.

*********************************** Counter ************************************
Stored Events : 0
--------------------------------------------------------------------------------

[IMAGEFILE_log.zip](https://github.com/log2timeline/plaso/files/107618/IMAGEFILE_log.zip)

[joachimmetz]

Thanks for checking, apparently still some more changes in the parser selection are needed.
https://codereview.appspot.com/289950043/

[joachimmetz]

Changes are in, reopen the issue if needed.

[marcurdy]

Any ETA on the push for this into the github since codereview was 23 days ago?

[joachimmetz]

@marcurdy what do you mean by "push" ? the last changes are merged with HEAD 23 days ago? What does an ETA (of what?) is going to tell you?