MacOS Source release

To install the “Source code” release of Plaso on MacOS you need to download the latest version from https://github.com/log2timeline/plaso/releases/latest

For the purposes of this guide it will use 20200430 to represent the latest Plaso release in the examples below. However, you will need to adjust this based on the latest version available from the link above.

Under the latest release you should see four links to different packages, you will need to download the “Source code (tar.gz)” package file, for example https://github.com/log2timeline/plaso/archive/20200430.tar.gz

Extract the source code:

cd /tmp
tar zxf ~/Downloads/plaso-20200430.tar.gz

In some cases, MacOS will automatically ungzip the downloaded file. In which case, untar with:

cd /tmp
tar xf ~/Downloads/plaso-20200430.tar

XCode Command Line Tools is required. It can be installed with:

xcode-select --install

If python3 is not already installed, it can be downloaded from https://www.python.org/downloads/

Install Plaso contained within a virtual environment

Plaso can be installed within a virtual environment so that dependency packages are not installed system-wide. To do this, install Virtualenv:

sudo pip3 install virtualenv

Create a virtual environment to install Plaso into (in this instance, it is named “plaso_env” created under the home directory):

virtualenv -p python3 ~/plaso_env

Activate the virtual environment:

source ~/plaso_env/bin/activate

Install the Plaso dependencies:

cd /tmp/plaso-20200430/
pip install -r requirements.txt

Install Plaso:

python setup.py build
python setup.py install

To deactivate the virtual environment:

deactivate

In order to run Plaso, the virtual environment needs to be activated.

Install Plaso system-wide

We strongly discourage installing Plaso system-wide with pip. If you aren’t comfortable debugging package installation, this is not for you.

Install the Plaso dependencies:

cd /tmp/plaso-20200430/
sudo pip3 install -r requirements.txt

Install Plaso:

python3 setup.py build
sudo python3 setup.py install

Troubleshooting

Some Python dependencies fail to compile with the error:

  clang: warning: no such sysroot directory: '/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk' [-Wmissing-sysroot]
  ...
  #include <stdio.h>
           ^~~~~~~~~
  1 error generated.
  error: command 'clang' failed with exit status 1

It is likely that the Python interpreter was built using a specific MacOS SDK. Make sure that version of the MacOS SDK is installed on your system, in the example above this is MacOS SDK 10.14.

Pycrypto fails to build with the error:

    src/_fastmath.c:36:11: fatal error: 'gmp.h' file not found
    # include <gmp.h>
              ^~~~~~~
    1 error generated.
    error: command 'clang' failed with exit status 1
    ----------------------------------------

Make sure you have gmp installed:

brew install gmp

And your build environment knows where to find its development files:

export CFLAGS="-I/usr/local/include ${CFLAGS}";
export LDFLAGS="-L/usr/local/lib ${LDFLAGS}";

Yara-python fails to build with the error:

    In file included from yara/libyara/libyara.c:45:
    yara/libyara/crypto.h:38:10: fatal error: 'openssl/crypto.h' file not found
    #include <openssl/crypto.h>
             ^~~~~~~~~~~~~~~~~~
    1 error generated.
    error: command 'clang' failed with exit status 1
    ----------------------------------------

Make sure you have openssl installed:

brew install openssl

And your build environment knows where to find its development files:

export CFLAGS="-I/usr/local/opt/openssl@1.1/include ${CFLAGS}";
export LDFLAGS="-L/usr/local/opt/openssl@1.1/lib ${LDFLAGS}";