Log2Timline / Plaso

Docker:

alias plaso='docker run -v /IMAGE&OUTPUT/PATH:/data log2timeline/plaso'
plaso psort.py --source /data/image.raw -o dynamic -w /data/registrar.csv
plaso log2timeline --storage-file /data/evidence.plaso /data/
plaso psteal.py --source /data/image.raw -o dynamic -w /data/registrar.csv

Log2Timeline

used to extract events from a group of files, mount points or forensic image and save the results in a plaso storage file

--storage-file # plaso outpout e.g. /data/out.plaso
<source> # path to folder or image 
--timezone <tz> # timezone of system being investigated
--parsers list # list parsers 
--parsers "<parser>" # use specific parser e.g. "win7,!filestat" will run win7 checks only and also exclude (!) filestat 
--file_filter <filter_file> # list of files to parse on machine - speeds up timeline creation
log2timeline.py --storage-file <storage file> <source>

Psteal

psteal = log2timeline & psort

docker run -v /root/eventlogs/:/data log2timeline/plaso log2timeline --storage-file /data/evidence.plaso /data/

Pinfo

plaso storage file contains a variety of information about how and when the collection took place. may contain info from preprocessing stage

pinfo.py out.plaso

Psort

post-processing tool - used to filter, sort and process plaso storage file.

--output-time-zone <ZONE> # converts stored times to the spcified time zone 
-o <format> # choose output format (default:dynamic), elastic_ts: elastic used with timesketch, json, xlsx, l2tcsv: traditional CSV, opensearch: sends results into an opensearch database
-w <FILE> # name of output file to be writted 
FILTER # filters log - e.g. date > datetime('2023-01-01T00:00:00') AND date < datetime('2023-01-27T00:00:00')

psort.py --output-time-zone 'UTC' -o <l2tcsv> -w <timeline.csv> <out.plaso> <FILTER>

Filter Files

Limit the target set of inputs - can be useful for speed on DFIR

# Txt based file filters:
/(Users|Documents and Settings)/.+/NTUSER.DAT # looks for ntuser.dat 
{systemroot}/winevt/Logs.+evtx # collects all event logs

# YAML based file filters: 
description: Exclude windows log file
type: exclude
path_separator: '\'
Paths:
- '%SystemRoot%\\System32\\Config\\.+[.]evt'

Yara_Match

Yara script to regex plaso/timelines for malciious / bad behavior

PreviousForensics Tooling NextQuarantine extraction

Last updated 1 year ago

hashtagDocker:

hashtagLog2Timeline

hashtagPsteal

hashtagPinfo

hashtagPsort

hashtagFilter Files

hashtagYara_Matcharrow-up-right