Fix for Issue #617

[digitalsleuth]

Plaso and python-evtx have different pyparsing requirements which conflicted, causing plaso to not function properly.

The most recent version of python-evtx is not available on Ubuntu Focal or Jammy via apt, and the pypi version of python-evtx pins pyparsing via pyparsing==2.4.7, which takes precedence via PYTHONPATH, which then causes an incompatible version to be invoked by plaso.

This state installs python-evtx directly from the GitHub repo to avoid this conflict. The setup.py in the repo sets pyparsing>=2.4.7, thus resolving this issue.

Since the python3-plaso and plaso-data state files are no longer required, and the plaso-tools package is the only requirement for plaso, this state also removes the references to the other states.

[ekristen]

Why are we removing plaso-data? Also all states should be in the includes and requires blocks, looks like they were removed when renamed?

[digitalsleuth]

Hi Erik,

According to the documentation, only plaso-tools is required for plaso to work correctly. In an effort to remove any conflicts between the states, I removed plaso-data. I couldn't find any additional info about it on the GIFT PPA either, so I wanted to make sure it wasn't going to conflict.

I can modify that to include plaso-data as it was before when I get back to my computer. I just noticed that plaso documentation says it no longer supports older Ubuntu versions as well, so I might have to rework this after all to make sure there are no further compatibility issues.

[digitalsleuth]

I've just confirmed that the installation of plaso-tools automatically installs plaso-data and python3-plaso, so the plaso-data and python3-plaso states are not required. The removal of these two from the includes/requires was intentional, so as to not call on the states since they've been removed.