used to extract events from a group of files, mount points or forensic image and save the results in a plaso storage file
--storage-file # plaso outpout e.g. /data/out.plaso
<source> # path to folder or image
--timezone <tz> # timezone of system being investigated
--parsers list # list parsers
--parsers "<parser>" # use specific parser e.g. "win7,!filestat" will run win7 checks only and also exclude (!) filestat
--file_filter <filter_file> # list of files to parse on machine - speeds up timeline creation
log2timeline.py --storage-file <storage file> <source>
Psteal
psteal = log2timeline & psort
docker run -v /root/eventlogs/:/data log2timeline/plaso log2timeline --storage-file /data/evidence.plaso /data/
Pinfo
plaso storage file contains a variety of information about how and when the collection took place. may contain info from preprocessing stage
pinfo.py out.plaso
Psort
post-processing tool - used to filter, sort and process plaso storage file.
--output-time-zone <ZONE> # converts stored times to the spcified time zone
-o <format> # choose output format (default:dynamic), elastic_ts: elastic used with timesketch, json, xlsx, l2tcsv: traditional CSV, opensearch: sends results into an opensearch database
-w <FILE> # name of output file to be writted
FILTER # filters log - e.g. date > datetime('2023-01-01T00:00:00') AND date < datetime('2023-01-27T00:00:00')
psort.py --output-time-zone 'UTC' -o <l2tcsv> -w <timeline.csv> <out.plaso> <FILTER>
Filter Files
Limit the target set of inputs - can be useful for speed on DFIR
# Txt based file filters:
/(Users|Documents and Settings)/.+/NTUSER.DAT # looks for ntuser.dat
{systemroot}/winevt/Logs.+evtx # collects all event logs
# YAML based file filters:
description: Exclude windows log file
type: exclude
path_separator: '\'
Paths:
- '%SystemRoot%\\System32\\Config\\.+[.]evt'
Yara script to regex plaso/timelines for malciious / bad behavior