Log2Timline / Plaso

Docker:

alias plaso='docker run -v /IMAGE&OUTPUT/PATH:/data log2timeline/plaso'
plaso psort.py --source /data/image.raw -o dynamic -w /data/registrar.csv
plaso log2timeline --storage-file /data/evidence.plaso /data/
plaso psteal.py --source /data/image.raw -o dynamic -w /data/registrar.csv

Log2Timeline

used to extract events from a group of files, mount points or forensic image and save the results in a plaso storage file

--storage-file # plaso outpout e.g. /data/out.plaso
<source> # path to folder or image 
--timezone <tz> # timezone of system being investigated
--parsers list # list parsers 
--parsers "<parser>" # use specific parser e.g. "win7,!filestat" will run win7 checks only and also exclude (!) filestat 
--file_filter <filter_file> # list of files to parse on machine - speeds up timeline creation
log2timeline.py --storage-file <storage file> <source>

Psteal

psteal = log2timeline & psort

docker run -v /root/eventlogs/:/data log2timeline/plaso log2timeline --storage-file /data/evidence.plaso /data/

Pinfo

plaso storage file contains a variety of information about how and when the collection took place. may contain info from preprocessing stage

Psort

post-processing tool - used to filter, sort and process plaso storage file.

Filter Files

Limit the target set of inputs - can be useful for speed on DFIR

Yara_Match

Yara script to regex plaso/timelines for malciious / bad behavior

PreviousForensics ToolingNextQuarantine extraction

Last updated