Plaso (log2timeline)
Overview
Plaso (log2timeline) is a Python-based, cross-platform forensic timeline tool that creates super timelines by parsing and correlating logs, artifacts, and metadata from various digital sources. It processes thousands of log files, browser histories, system artifacts, and application data to build comprehensive timelines for forensic investigations and incident response.
Installation
Linux (Debian/Ubuntu)
sudo apt-get install plaso-tools
sudo apt-get install python3-plasoFedora/RHEL
sudo dnf install plasomacOS
brew install plasoWindows
Download the installer from the official Plaso GitHub repository or use Python pip.
From Source (Cross-Platform)
git clone https://github.com/log2timeline/plaso.git
cd plaso
pip3 install -r requirements.txt
python3 setup.py installCore Concepts
What is a Super Timeline?
A super timeline is a single, comprehensive timeline that combines events from multiple sources on a system, ordered chronologically. This provides investigators with a unified view of system activity.
Supported Parsers
Plaso includes parsers for:
- Windows Event Logs (.evtx)
- Syslog files
- Apache/Nginx web server logs
- Browser history and cookies
- File system metadata
- Application logs
- Memory artifacts
- Registry hives
Basic Commands
Extract Timeline from a Source
log2timeline.py output_timeline.plaso /path/to/sourceExtract from Specific Data Source (Image/Device)
log2timeline.py -o case_timeline.plaso /mnt/image/mount/pointParse Specific File Type
log2timeline.py -p [parser_name] output.plaso /path/to/fileList Available Parsers
log2timeline.py --parsers
log2timeline.py --parsers=listExtract with Specific Storage Format
log2timeline.py -o sqlite output.db /source/path
log2timeline.py -o elastic-search /source/pathCreating Timelines
| Command | Description |
|---|---|
log2timeline.py output.plaso /source | Create timeline from source directory |
log2timeline.py -r output.plaso /source | Recursive parsing of all subdirectories |
log2timeline.py -o json output.json /source | Output in JSON format |
log2timeline.py -o csv output.csv /source | Output in CSV format for spreadsheet analysis |
log2timeline.py -z UTC output.plaso /source | Specify timezone for time conversion |
log2timeline.py -p win_registry output.plaso /windows/registry | Parse only Windows registry |
log2timeline.py --hasher_file=/path output.plaso /source | Include file hash analysis |
Advanced Parsing Options
Single Parser Extraction
log2timeline.py -p chrome output.plaso /source
log2timeline.py -p firefox output.plaso /source
log2timeline.py -p syslog output.plaso /var/logExclude File Types
log2timeline.py --filter '\.zip$' output.plaso /sourceProcess with Specific Worker Count
log2timeline.py -w 4 output.plaso /sourceVerbose Output During Parsing
log2timeline.py -v output.plaso /source
log2timeline.py --debug output.plaso /sourceTimeline Analysis with Psort
Psort is the timeline analysis tool that reads Plaso output and generates human-readable reports.
Basic Psort Usage
psort.py output.plaso
psort.py -o dynamic output.plasoFilter Timeline Events
psort.py -f "date >= '2024-01-01 00:00:00' AND date <= '2024-12-31 23:59:59'" output.plaso
psort.py -f "source_short == 'LOG'" output.plasoOutput Formats
| Command | Output Format |
|---|---|
psort.py output.plaso | Default text format |
psort.py -o json output.json output.plaso | JSON output |
psort.py -o csv output.csv output.plaso | CSV format |
psort.py -o elastic-search output.plaso | Elasticsearch bulk import |
psort.py -o html report.html output.plaso | HTML report |
psort.py -o sqlite output.db output.plaso | SQLite database |
Advanced Filtering
# Filter by source
psort.py -f "source_short == 'EVT'" output.plaso
# Filter by message content
psort.py -f "message CONTAINS 'login'" output.plaso
# Filter by username
psort.py -f "username == 'Administrator'" output.plaso
# Date range filtering
psort.py -f "date >= '2024-01-15 08:00:00'" output.plaso
# Multiple conditions
psort.py -f "date >= '2024-01-01' AND source_short == 'LOG'" output.plasoSort Options
psort.py -s date output.plaso
psort.py -s source output.plaso
psort.py -s date,source output.plasoForensic Investigation Workflow
Step 1: Mount and Examine Evidence
sudo mount -o ro /dev/sdX /mnt/evidence
log2timeline.py -r case.plaso /mnt/evidenceStep 2: Parse Timeline
log2timeline.py -r -w 8 case.plaso /mnt/evidenceStep 3: Analyze and Filter
psort.py -f "date >= '2024-01-20 00:00:00'" case.plasoStep 4: Generate Report
psort.py -o html investigation_report.html case.plasoStep 5: Export for Further Analysis
psort.py -o csv timeline.csv case.plasoDisk Image Analysis
From Forensic Image (E01/DD)
log2timeline.py -r mounted_image.plaso /mnt/ewf_mountWith EWF Tools (EnCase Images)
ewfmount /path/to/image.E01 /mnt/ewf
log2timeline.py -r case.plaso /mnt/ewf/ewf1Windows Registry Analysis
log2timeline.py -p win_registry case.plaso /mnt/evidence/Windows/System32/configBrowser Forensics
Chrome History and Artifacts
log2timeline.py -p chrome case.plaso /mnt/evidence/Users/username/AppData/Local/Google/ChromeFirefox History
log2timeline.py -p firefox case.plaso /mnt/evidence/Users/username/AppData/Roaming/Mozilla/FirefoxSafari History (macOS)
log2timeline.py -p safari case.plaso /mnt/evidence/Users/username/Library/SafariCombined Browser Analysis
log2timeline.py -p 'chrome|firefox|safari' case.plaso /source/pathPerformance Optimization
Multi-threaded Processing
log2timeline.py -w 8 output.plaso /source
log2timeline.py -w 16 output.plaso /large/datasetProgress Monitoring
log2timeline.py -v output.plaso /source 2>&1 | tee parsing.logProcess Large Files Efficiently
log2timeline.py -r --no-dedupe output.plaso /sourceOutput Processing
Convert Between Formats
# PLASO to CSV
psort.py -o csv timeline.csv case.plaso
# PLASO to JSON
psort.py -o json timeline.json case.plaso
# PLASO to SQLite for queries
psort.py -o sqlite timeline.db case.plasoQuery SQLite Timeline
sqlite3 timeline.db "SELECT datetime, source, message FROM events WHERE source LIKE '%LOG%' ORDER BY datetime;"Grep Timeline Output
psort.py case.plaso | grep -i "logon\|failed\|error"Incident Response Scenarios
Suspicious Activity Timeline
log2timeline.py -r incident.plaso /evidence
psort.py -f "message CONTAINS 'error' OR message CONTAINS 'failed'" incident.plasoUser Account Activity
psort.py -f "username == 'suspect_user'" case.plasoFile Access Timeline
log2timeline.py -p fswalk case.plaso /evidence
psort.py -f "source_short == 'FILE'" case.plasoNetwork Connection Events
psort.py -f "source_short == 'EVT' AND message CONTAINS 'network'" case.plasoTroubleshooting
Check Parser Support
log2timeline.py --info=parsers | grep -i keywordEnable Debug Logging
log2timeline.py --debug output.plaso /sourceHandle Permission Issues
sudo log2timeline.py -r case.plaso /protected/sourceVerify Output
psort.py case.plaso | head -20
file case.plasoBest Practices
- Always work from copies: Never analyze original evidence directly
- Document your process: Maintain detailed notes on filters and queries used
- Timezone awareness: Use correct timezone settings for accurate timeline analysis
- Multi-source correlation: Combine logs from multiple sources for better accuracy
- Regular backups: Save critical timeline analysis in multiple formats
- Version control: Track Plaso version used for reproducibility
- Validate results: Cross-reference findings with other forensic tools
Related Tools
- Volatility: Memory forensics and analysis
- FTK Imager: Forensic imaging and analysis
- EnCase: Commercial forensic platform
- Autopsy: Digital forensics GUI frontend
- Timeline Explorer: Timeline visualization tool