How to import large Plaso file into Timesketch in Docker

#docker #plaso #timesketch #forensics

Sometimes Timesketch, being run in Docker, hiccups when importing a Plaso file too large, like in the issue #1060. You can still upload the file using this shell script:

#!/bin/sh
#
# Run this script with timesketch_import_plaso.sh plaso_file [timesketch_container]

if [ $# -eq 0]
then
    echo Run this script with $0 plaso_file [timesketch_container]
    exit 1
fi

DOCKER_PATH="/tmp/`basename $1`"
TIMELINE="`echo $1 | sed -e 's/\.[^.]*$//'`"
CONTAINER=docker_timesketch_1
if [ ! -z "$2"]
then
    CONTAINER=$2
fi

docker cp "$1" "$CONTAINER:/tmp"
docker exec -it "$CONTAINER" psort.py -o timesketch --name "$TIMELINE" "$DOCKER_PATH"
docker exec -it "$CONTAINER" rm "$DOCKER_PATH"

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now