Plaso (log2timeline)

Overview

Plaso (log2timeline) is a Python-based, cross-platform forensic timeline tool that creates super timelines by parsing and correlating logs, artifacts, and metadata from various digital sources. It processes thousands of log files, browser histories, system artifacts, and application data to build comprehensive timelines for forensic investigations and incident response.

Installation

Linux (Debian/Ubuntu)

sudo apt-get install plaso-tools
sudo apt-get install python3-plaso

Fedora/RHEL

sudo dnf install plaso

macOS

brew install plaso

Windows

Download the installer from the official Plaso GitHub repository or use Python pip.

From Source (Cross-Platform)

git clone https://github.com/log2timeline/plaso.git
cd plaso
pip3 install -r requirements.txt
python3 setup.py install

Core Concepts

What is a Super Timeline?

A super timeline is a single, comprehensive timeline that combines events from multiple sources on a system, ordered chronologically. This provides investigators with a unified view of system activity.

Supported Parsers

Plaso includes parsers for:

• Windows Event Logs (.evtx)
• Syslog files
• Apache/Nginx web server logs
• Browser history and cookies
• File system metadata
• Application logs
• Memory artifacts
• Registry hives

Basic Commands

Extract Timeline from a Source

log2timeline.py output_timeline.plaso /path/to/source

Extract from Specific Data Source (Image/Device)

log2timeline.py -o case_timeline.plaso /mnt/image/mount/point

Parse Specific File Type

log2timeline.py -p [parser_name] output.plaso /path/to/file

List Available Parsers

log2timeline.py --parsers
log2timeline.py --parsers=list

Extract with Specific Storage Format

log2timeline.py -o sqlite output.db /source/path
log2timeline.py -o elastic-search /source/path

Creating Timelines

Command	Description
log2timeline.py output.plaso /source	Create timeline from source directory
log2timeline.py -r output.plaso /source	Recursive parsing of all subdirectories
log2timeline.py -o json output.json /source	Output in JSON format
log2timeline.py -o csv output.csv /source	Output in CSV format for spreadsheet analysis
log2timeline.py -z UTC output.plaso /source	Specify timezone for time conversion
log2timeline.py -p win_registry output.plaso /windows/registry	Parse only Windows registry
log2timeline.py --hasher_file=/path output.plaso /source	Include file hash analysis

Advanced Parsing Options

Single Parser Extraction

log2timeline.py -p chrome output.plaso /source
log2timeline.py -p firefox output.plaso /source
log2timeline.py -p syslog output.plaso /var/log

Exclude File Types

log2timeline.py --filter '\.zip$' output.plaso /source

Process with Specific Worker Count

log2timeline.py -w 4 output.plaso /source

Verbose Output During Parsing

log2timeline.py -v output.plaso /source
log2timeline.py --debug output.plaso /source

Timeline Analysis with Psort

Psort is the timeline analysis tool that reads Plaso output and generates human-readable reports.

Basic Psort Usage

psort.py output.plaso
psort.py -o dynamic output.plaso

Filter Timeline Events

psort.py -f "date >= '2024-01-01 00:00:00' AND date <= '2024-12-31 23:59:59'" output.plaso
psort.py -f "source_short == 'LOG'" output.plaso

Output Formats

Command	Output Format
psort.py output.plaso	Default text format
psort.py -o json output.json output.plaso	JSON output
psort.py -o csv output.csv output.plaso	CSV format
psort.py -o elastic-search output.plaso	Elasticsearch bulk import
psort.py -o html report.html output.plaso	HTML report
psort.py -o sqlite output.db output.plaso	SQLite database

Advanced Filtering

# Filter by source
psort.py -f "source_short == 'EVT'" output.plaso

# Filter by message content
psort.py -f "message CONTAINS 'login'" output.plaso

# Filter by username
psort.py -f "username == 'Administrator'" output.plaso

# Date range filtering
psort.py -f "date >= '2024-01-15 08:00:00'" output.plaso

# Multiple conditions
psort.py -f "date >= '2024-01-01' AND source_short == 'LOG'" output.plaso

Sort Options

psort.py -s date output.plaso
psort.py -s source output.plaso
psort.py -s date,source output.plaso

Forensic Investigation Workflow

Step 1: Mount and Examine Evidence

sudo mount -o ro /dev/sdX /mnt/evidence
log2timeline.py -r case.plaso /mnt/evidence

Step 2: Parse Timeline

log2timeline.py -r -w 8 case.plaso /mnt/evidence

Step 3: Analyze and Filter

psort.py -f "date >= '2024-01-20 00:00:00'" case.plaso

Step 4: Generate Report

psort.py -o html investigation_report.html case.plaso

Step 5: Export for Further Analysis

psort.py -o csv timeline.csv case.plaso

Disk Image Analysis

From Forensic Image (E01/DD)

log2timeline.py -r mounted_image.plaso /mnt/ewf_mount

With EWF Tools (EnCase Images)

ewfmount /path/to/image.E01 /mnt/ewf
log2timeline.py -r case.plaso /mnt/ewf/ewf1

Windows Registry Analysis

log2timeline.py -p win_registry case.plaso /mnt/evidence/Windows/System32/config

Browser Forensics

Chrome History and Artifacts

log2timeline.py -p chrome case.plaso /mnt/evidence/Users/username/AppData/Local/Google/Chrome

Firefox History

log2timeline.py -p firefox case.plaso /mnt/evidence/Users/username/AppData/Roaming/Mozilla/Firefox

Safari History (macOS)

log2timeline.py -p safari case.plaso /mnt/evidence/Users/username/Library/Safari

Combined Browser Analysis

log2timeline.py -p 'chrome|firefox|safari' case.plaso /source/path

Performance Optimization

Multi-threaded Processing

log2timeline.py -w 8 output.plaso /source
log2timeline.py -w 16 output.plaso /large/dataset

Progress Monitoring

log2timeline.py -v output.plaso /source 2>&1 | tee parsing.log

Process Large Files Efficiently

log2timeline.py -r --no-dedupe output.plaso /source

Output Processing

Convert Between Formats

# PLASO to CSV
psort.py -o csv timeline.csv case.plaso

# PLASO to JSON
psort.py -o json timeline.json case.plaso

# PLASO to SQLite for queries
psort.py -o sqlite timeline.db case.plaso

Query SQLite Timeline

sqlite3 timeline.db "SELECT datetime, source, message FROM events WHERE source LIKE '%LOG%' ORDER BY datetime;"

Grep Timeline Output

psort.py case.plaso | grep -i "logon\|failed\|error"

Incident Response Scenarios

Suspicious Activity Timeline

log2timeline.py -r incident.plaso /evidence
psort.py -f "message CONTAINS 'error' OR message CONTAINS 'failed'" incident.plaso

User Account Activity

psort.py -f "username == 'suspect_user'" case.plaso

File Access Timeline

log2timeline.py -p fswalk case.plaso /evidence
psort.py -f "source_short == 'FILE'" case.plaso

Network Connection Events

psort.py -f "source_short == 'EVT' AND message CONTAINS 'network'" case.plaso

Troubleshooting

Check Parser Support

log2timeline.py --info=parsers | grep -i keyword

Enable Debug Logging

log2timeline.py --debug output.plaso /source

Handle Permission Issues

sudo log2timeline.py -r case.plaso /protected/source

Verify Output

psort.py case.plaso | head -20
file case.plaso

Best Practices

• Always work from copies: Never analyze original evidence directly
• Document your process: Maintain detailed notes on filters and queries used
• Timezone awareness: Use correct timezone settings for accurate timeline analysis
• Multi-source correlation: Combine logs from multiple sources for better accuracy
• Regular backups: Save critical timeline analysis in multiple formats
• Version control: Track Plaso version used for reproducibility
• Validate results: Cross-reference findings with other forensic tools

Related Tools

• Volatility: Memory forensics and analysis
• FTK Imager: Forensic imaging and analysis
• EnCase: Commercial forensic platform
• Autopsy: Digital forensics GUI frontend
• Timeline Explorer: Timeline visualization tool