From f2879bf09e56ba148673b379e7173b10b49f10c6 Mon Sep 17 00:00:00 2001
From: digitalsleuth <corey@digitalsleuth.ca>
Date: Mon, 19 Feb 2024 00:26:38 +0000
Subject: [PATCH 1/3] Fix issue between plaso and python-evtx

---
 sift/packages/init.sls                |  8 ++------
 sift/packages/plaso-data.sls          |  8 --------
 sift/packages/plaso-tools.sls         | 12 +++++++++---
 sift/packages/plaso.sls               | 14 --------------
 sift/packages/python3-evtx.sls        |  3 +++
 sift/python3-packages/init.sls        |  4 ++--
 sift/python3-packages/python-evtx.sls | 12 +++++++++++-
 7 files changed, 27 insertions(+), 34 deletions(-)
 delete mode 100644 sift/packages/plaso-data.sls
 delete mode 100644 sift/packages/plaso.sls
 create mode 100644 sift/packages/python3-evtx.sls

diff --git a/sift/packages/init.sls b/sift/packages/init.sls
index 45795b2c..2ebd4446 100644
--- a/sift/packages/init.sls
+++ b/sift/packages/init.sls
@@ -137,8 +137,6 @@ include:
   - sift.packages.pff-tools
   - sift.packages.phonon
   - sift.packages.pkg-config
-  - sift.packages.plaso
-  - sift.packages.plaso-data
   - sift.packages.plaso-tools
   - sift.packages.powershell
   - sift.packages.pv
@@ -146,10 +144,10 @@ include:
   - sift.packages.python3
   - sift.packages.python3-dev
   - sift.packages.python3-dfvfs
+  - sift.packages.python3-evtx
   - sift.packages.python3-fuse
   - sift.packages.python3-pefile
   - sift.packages.python3-pip
-  - sift.packages.python3-plaso
   - sift.packages.python3-pypff
   - sift.packages.python3-pytsk3
   - sift.packages.python3-pyqt5
@@ -346,8 +344,6 @@ sift-packages:
       - sls: sift.packages.pff-tools
       - sls: sift.packages.phonon
       - sls: sift.packages.pkg-config
-      - sls: sift.packages.plaso
-      - sls: sift.packages.plaso-data
       - sls: sift.packages.plaso-tools
       - sls: sift.packages.powershell
       - sls: sift.packages.pv
@@ -355,10 +351,10 @@ sift-packages:
       - sls: sift.packages.python3
       - sls: sift.packages.python3-dev
       - sls: sift.packages.python3-dfvfs
+      - sls: sift.packages.python3-evtx
       - sls: sift.packages.python3-fuse
       - sls: sift.packages.python3-pefile
       - sls: sift.packages.python3-pip
-      - sls: sift.packages.python3-plaso
       - sls: sift.packages.python3-pypff
       - sls: sift.packages.python3-pytsk3
       - sls: sift.packages.python3-pyqt5
diff --git a/sift/packages/plaso-data.sls b/sift/packages/plaso-data.sls
deleted file mode 100644
index f7e0490a..00000000
--- a/sift/packages/plaso-data.sls
+++ /dev/null
@@ -1,8 +0,0 @@
-include:
-  - sift.repos.gift
-
-plaso-data:
-  pkg.latest:
-    - name: plaso-data
-    - require:
-      - sls: sift.repos.gift
diff --git a/sift/packages/plaso-tools.sls b/sift/packages/plaso-tools.sls
index 86896004..b35a52a0 100644
--- a/sift/packages/plaso-tools.sls
+++ b/sift/packages/plaso-tools.sls
@@ -1,10 +1,16 @@
+# Name: plaso
+# Website: https://github.com/log2timeline/plaso
+# Description: Python-based tool to create a timeline based on several sources
+# Category: 
+# Author: Joachim Metz
+# License: Apache License 2.0 (https://github.com/log2timeline/plaso/blob/main/LICENSE)
+# Notes: psteal, psort, log2timeline
+
 include:
   - sift.repos.gift
-  - sift.packages.python3-plaso
 
-plaso-tools:
+sift-packages-plaso-tools:
   pkg.latest:
     - name: plaso-tools
     - require:
       - sls: sift.repos.gift
-      - sls: sift.packages.python3-plaso
diff --git a/sift/packages/plaso.sls b/sift/packages/plaso.sls
deleted file mode 100644
index 487a6e74..00000000
--- a/sift/packages/plaso.sls
+++ /dev/null
@@ -1,14 +0,0 @@
-include:
-  - sift.repos.gift
-  - sift.packages.python3-plaso
-  - sift.packages.plaso-tools
-  - sift.packages.plaso-data
-
-sift-package-plaso:
-  test.nop:
-    - name: sift-package-plaso
-    - require:
-      - sls: sift.repos.gift
-      - sls: sift.packages.python3-plaso
-      - sls: sift.packages.plaso-tools
-      - sls: sift.packages.plaso-data
diff --git a/sift/packages/python3-evtx.sls b/sift/packages/python3-evtx.sls
new file mode 100644
index 00000000..20ece35f
--- /dev/null
+++ b/sift/packages/python3-evtx.sls
@@ -0,0 +1,3 @@
+sift-packages-python3-evtx:
+  pkg.installed:
+    - name: python3-evtx
diff --git a/sift/python3-packages/init.sls b/sift/python3-packages/init.sls
index 4d8a3aff..bd64ada9 100644
--- a/sift/python3-packages/init.sls
+++ b/sift/python3-packages/init.sls
@@ -15,7 +15,7 @@ include:
   - sift.python3-packages.pillow
   - sift.python3-packages.pyhindsight
   - sift.python3-packages.python-dateutil
-  - sift.python3-packages.python-evtx
+#  - sift.python3-packages.python-evtx
   - sift.python3-packages.python-magic
   - sift.python3-packages.python-registry
   - sift.python3-packages.setuptools
@@ -47,7 +47,7 @@ sift-python3-packages:
       - sls: sift.python3-packages.pillow
       - sls: sift.python3-packages.pyhindsight
       - sls: sift.python3-packages.python-dateutil
-      - sls: sift.python3-packages.python-evtx
+#      - sls: sift.python3-packages.python-evtx
       - sls: sift.python3-packages.python-magic
       - sls: sift.python3-packages.python-registry
       - sls: sift.python3-packages.setuptools
diff --git a/sift/python3-packages/python-evtx.sls b/sift/python3-packages/python-evtx.sls
index f860fa2f..cde132cc 100644
--- a/sift/python3-packages/python-evtx.sls
+++ b/sift/python3-packages/python-evtx.sls
@@ -1,9 +1,19 @@
+# Name: python-evtx
+# Website: https://github.com/williballenthin/python-evtx
+# Description: Pure Python parser for Windows Event Log (.evtx) files
+# Category:
+# Author: Willi Ballenthin
+# License: Apache License 2.0 (https://github.com/williballenthin/python-evtx/blob/master/LICENSE.TXT)
+# Notes: evtx_dates.py, evtx_dump.py, evtx_dump_chunk_slack.py, evtx_dump_json.py, evtx_info.py
+
 include:
   - sift.python3-packages.pip
+  - sift.packages.git
 
 sift-python3-packages-python-evtx:
   pip.installed:
-    - name: python-evtx
+    - name: git+https://github.com/williballenthin/python-evtx.git
     - bin_env: /usr/bin/python3
     - require:
       - sls: sift.python3-packages.pip
+      - sls: sift.packages.git

From a164aa50e99cdacf01a4920b11d6748675164b48 Mon Sep 17 00:00:00 2001
From: digitalsleuth <corey@digitalsleuth.ca>
Date: Mon, 19 Feb 2024 00:30:28 +0000
Subject: [PATCH 2/3] Remove python-evtx package, update headers

---
 sift/packages/init.sls         | 2 --
 sift/packages/plaso-tools.sls  | 2 +-
 sift/packages/python3-evtx.sls | 3 ---
 3 files changed, 1 insertion(+), 6 deletions(-)
 delete mode 100644 sift/packages/python3-evtx.sls

diff --git a/sift/packages/init.sls b/sift/packages/init.sls
index 2ebd4446..88d7267d 100644
--- a/sift/packages/init.sls
+++ b/sift/packages/init.sls
@@ -144,7 +144,6 @@ include:
   - sift.packages.python3
   - sift.packages.python3-dev
   - sift.packages.python3-dfvfs
-  - sift.packages.python3-evtx
   - sift.packages.python3-fuse
   - sift.packages.python3-pefile
   - sift.packages.python3-pip
@@ -351,7 +350,6 @@ sift-packages:
       - sls: sift.packages.python3
       - sls: sift.packages.python3-dev
       - sls: sift.packages.python3-dfvfs
-      - sls: sift.packages.python3-evtx
       - sls: sift.packages.python3-fuse
       - sls: sift.packages.python3-pefile
       - sls: sift.packages.python3-pip
diff --git a/sift/packages/plaso-tools.sls b/sift/packages/plaso-tools.sls
index b35a52a0..a1232aba 100644
--- a/sift/packages/plaso-tools.sls
+++ b/sift/packages/plaso-tools.sls
@@ -9,7 +9,7 @@
 include:
   - sift.repos.gift
 
-sift-packages-plaso-tools:
+sift-package-plaso-tools:
   pkg.latest:
     - name: plaso-tools
     - require:
diff --git a/sift/packages/python3-evtx.sls b/sift/packages/python3-evtx.sls
deleted file mode 100644
index 20ece35f..00000000
--- a/sift/packages/python3-evtx.sls
+++ /dev/null
@@ -1,3 +0,0 @@
-sift-packages-python3-evtx:
-  pkg.installed:
-    - name: python3-evtx

From c79cb60c799f29445f1179a7c2e30b256954316f Mon Sep 17 00:00:00 2001
From: digitalsleuth <corey@digitalsleuth.ca>
Date: Mon, 19 Feb 2024 01:30:42 +0000
Subject: [PATCH 3/3] Update plaso header

---
 sift/packages/plaso-tools.sls  | 2 +-
 sift/python3-packages/init.sls | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sift/packages/plaso-tools.sls b/sift/packages/plaso-tools.sls
index a1232aba..e0afb384 100644
--- a/sift/packages/plaso-tools.sls
+++ b/sift/packages/plaso-tools.sls
@@ -4,7 +4,7 @@
 # Category: 
 # Author: Joachim Metz
 # License: Apache License 2.0 (https://github.com/log2timeline/plaso/blob/main/LICENSE)
-# Notes: psteal, psort, log2timeline
+# Notes: psteal.py, psort.py, log2timeline.py
 
 include:
   - sift.repos.gift
diff --git a/sift/python3-packages/init.sls b/sift/python3-packages/init.sls
index bd64ada9..4d8a3aff 100644
--- a/sift/python3-packages/init.sls
+++ b/sift/python3-packages/init.sls
@@ -15,7 +15,7 @@ include:
   - sift.python3-packages.pillow
   - sift.python3-packages.pyhindsight
   - sift.python3-packages.python-dateutil
-#  - sift.python3-packages.python-evtx
+  - sift.python3-packages.python-evtx
   - sift.python3-packages.python-magic
   - sift.python3-packages.python-registry
   - sift.python3-packages.setuptools
@@ -47,7 +47,7 @@ sift-python3-packages:
       - sls: sift.python3-packages.pillow
       - sls: sift.python3-packages.pyhindsight
       - sls: sift.python3-packages.python-dateutil
-#      - sls: sift.python3-packages.python-evtx
+      - sls: sift.python3-packages.python-evtx
       - sls: sift.python3-packages.python-magic
       - sls: sift.python3-packages.python-registry
       - sls: sift.python3-packages.setuptools