Plaso (log2timeline)
Overview
Seção intitulada “Overview”Plaso (log2timeline) is a Python-based, cross-platform forensic timeline tool that creates super timelines by parsing and correlating logs, artifacts, and metadata from various digital sources. It processes thousands of log files, browser histories, system artifacts, and application data to build comprehensive timelines for forensic investigations and incident response.
Installation
Seção intitulada “Installation”Linux (Debian/Ubuntu)
Seção intitulada “Linux (Debian/Ubuntu)”sudo apt-get install plaso-tools
sudo apt-get install python3-plasoFedora/RHEL
Seção intitulada “Fedora/RHEL”sudo dnf install plasobrew install plasoWindows
Seção intitulada “Windows”Download the installer from the official Plaso GitHub repository or use Python pip.
From Source (Cross-Platform)
Seção intitulada “From Source (Cross-Platform)”git clone https://github.com/log2timeline/plaso.git
cd plaso
pip3 install -r requirements.txt
python3 setup.py installCore Concepts
Seção intitulada “Core Concepts”What is a Super Timeline?
Seção intitulada “What is a Super Timeline?”A super timeline is a single, comprehensive timeline that combines events from multiple sources on a system, ordered chronologically. This provides investigators with a unified view of system activity.
Supported Parsers
Seção intitulada “Supported Parsers”Plaso includes parsers for:
- Windows Event Logs (.evtx)
- Syslog files
- Apache/Nginx web server logs
- Browser history and cookies
- File system metadata
- Application logs
- Memory artifacts
- Registry hives
Basic Commands
Seção intitulada “Basic Commands”Extract Timeline from a Source
Seção intitulada “Extract Timeline from a Source”log2timeline.py output_timeline.plaso /path/to/sourceExtract from Specific Data Source (Image/Device)
Seção intitulada “Extract from Specific Data Source (Image/Device)”log2timeline.py -o case_timeline.plaso /mnt/image/mount/pointParse Specific File Type
Seção intitulada “Parse Specific File Type”log2timeline.py -p [parser_name] output.plaso /path/to/fileList Available Parsers
Seção intitulada “List Available Parsers”log2timeline.py --parsers
log2timeline.py --parsers=listExtract with Specific Storage Format
Seção intitulada “Extract with Specific Storage Format”log2timeline.py -o sqlite output.db /source/path
log2timeline.py -o elastic-search /source/pathCreating Timelines
Seção intitulada “Creating Timelines”| Command | Description |
|---|---|
log2timeline.py output.plaso /source | Create timeline from source directory |
log2timeline.py -r output.plaso /source | Recursive parsing of all subdirectories |
log2timeline.py -o json output.json /source | Output in JSON format |
log2timeline.py -o csv output.csv /source | Output in CSV format for spreadsheet analysis |
log2timeline.py -z UTC output.plaso /source | Specify timezone for time conversion |
log2timeline.py -p win_registry output.plaso /windows/registry | Parse only Windows registry |
log2timeline.py --hasher_file=/path output.plaso /source | Include file hash analysis |
Advanced Parsing Options
Seção intitulada “Advanced Parsing Options”Single Parser Extraction
Seção intitulada “Single Parser Extraction”log2timeline.py -p chrome output.plaso /source
log2timeline.py -p firefox output.plaso /source
log2timeline.py -p syslog output.plaso /var/logExclude File Types
Seção intitulada “Exclude File Types”log2timeline.py --filter '\.zip$' output.plaso /sourceProcess with Specific Worker Count
Seção intitulada “Process with Specific Worker Count”log2timeline.py -w 4 output.plaso /sourceVerbose Output During Parsing
Seção intitulada “Verbose Output During Parsing”log2timeline.py -v output.plaso /source
log2timeline.py --debug output.plaso /sourceTimeline Analysis with Psort
Seção intitulada “Timeline Analysis with Psort”Psort is the timeline analysis tool that reads Plaso output and generates human-readable reports.
Basic Psort Usage
Seção intitulada “Basic Psort Usage”psort.py output.plaso
psort.py -o dynamic output.plasoFilter Timeline Events
Seção intitulada “Filter Timeline Events”psort.py -f "date >= '2024-01-01 00:00:00' AND date <= '2024-12-31 23:59:59'" output.plaso
psort.py -f "source_short == 'LOG'" output.plasoOutput Formats
Seção intitulada “Output Formats”| Command | Output Format |
|---|---|
psort.py output.plaso | Default text format |
psort.py -o json output.json output.plaso | JSON output |
psort.py -o csv output.csv output.plaso | CSV format |
psort.py -o elastic-search output.plaso | Elasticsearch bulk import |
psort.py -o html report.html output.plaso | HTML report |
psort.py -o sqlite output.db output.plaso | SQLite database |
Advanced Filtering
Seção intitulada “Advanced Filtering”# Filter by source
psort.py -f "source_short == 'EVT'" output.plaso
# Filter by message content
psort.py -f "message CONTAINS 'login'" output.plaso
# Filter by username
psort.py -f "username == 'Administrator'" output.plaso
# Date range filtering
psort.py -f "date >= '2024-01-15 08:00:00'" output.plaso
# Multiple conditions
psort.py -f "date >= '2024-01-01' AND source_short == 'LOG'" output.plasoSort Options
Seção intitulada “Sort Options”psort.py -s date output.plaso
psort.py -s source output.plaso
psort.py -s date,source output.plasoForensic Investigation Workflow
Seção intitulada “Forensic Investigation Workflow”Step 1: Mount and Examine Evidence
Seção intitulada “Step 1: Mount and Examine Evidence”sudo mount -o ro /dev/sdX /mnt/evidence
log2timeline.py -r case.plaso /mnt/evidenceStep 2: Parse Timeline
Seção intitulada “Step 2: Parse Timeline”log2timeline.py -r -w 8 case.plaso /mnt/evidenceStep 3: Analyze and Filter
Seção intitulada “Step 3: Analyze and Filter”psort.py -f "date >= '2024-01-20 00:00:00'" case.plasoStep 4: Generate Report
Seção intitulada “Step 4: Generate Report”psort.py -o html investigation_report.html case.plasoStep 5: Export for Further Analysis
Seção intitulada “Step 5: Export for Further Analysis”psort.py -o csv timeline.csv case.plasoDisk Image Analysis
Seção intitulada “Disk Image Analysis”From Forensic Image (E01/DD)
Seção intitulada “From Forensic Image (E01/DD)”log2timeline.py -r mounted_image.plaso /mnt/ewf_mountWith EWF Tools (EnCase Images)
Seção intitulada “With EWF Tools (EnCase Images)”ewfmount /path/to/image.E01 /mnt/ewf
log2timeline.py -r case.plaso /mnt/ewf/ewf1Windows Registry Analysis
Seção intitulada “Windows Registry Analysis”log2timeline.py -p win_registry case.plaso /mnt/evidence/Windows/System32/configBrowser Forensics
Seção intitulada “Browser Forensics”Chrome History and Artifacts
Seção intitulada “Chrome History and Artifacts”log2timeline.py -p chrome case.plaso /mnt/evidence/Users/username/AppData/Local/Google/ChromeFirefox History
Seção intitulada “Firefox History”log2timeline.py -p firefox case.plaso /mnt/evidence/Users/username/AppData/Roaming/Mozilla/FirefoxSafari History (macOS)
Seção intitulada “Safari History (macOS)”log2timeline.py -p safari case.plaso /mnt/evidence/Users/username/Library/SafariCombined Browser Analysis
Seção intitulada “Combined Browser Analysis”log2timeline.py -p 'chrome|firefox|safari' case.plaso /source/pathPerformance Optimization
Seção intitulada “Performance Optimization”Multi-threaded Processing
Seção intitulada “Multi-threaded Processing”log2timeline.py -w 8 output.plaso /source
log2timeline.py -w 16 output.plaso /large/datasetProgress Monitoring
Seção intitulada “Progress Monitoring”log2timeline.py -v output.plaso /source 2>&1 | tee parsing.logProcess Large Files Efficiently
Seção intitulada “Process Large Files Efficiently”log2timeline.py -r --no-dedupe output.plaso /sourceOutput Processing
Seção intitulada “Output Processing”Convert Between Formats
Seção intitulada “Convert Between Formats”# PLASO to CSV
psort.py -o csv timeline.csv case.plaso
# PLASO to JSON
psort.py -o json timeline.json case.plaso
# PLASO to SQLite for queries
psort.py -o sqlite timeline.db case.plasoQuery SQLite Timeline
Seção intitulada “Query SQLite Timeline”sqlite3 timeline.db "SELECT datetime, source, message FROM events WHERE source LIKE '%LOG%' ORDER BY datetime;"Grep Timeline Output
Seção intitulada “Grep Timeline Output”psort.py case.plaso | grep -i "logon\|failed\|error"Incident Response Scenarios
Seção intitulada “Incident Response Scenarios”Suspicious Activity Timeline
Seção intitulada “Suspicious Activity Timeline”log2timeline.py -r incident.plaso /evidence
psort.py -f "message CONTAINS 'error' OR message CONTAINS 'failed'" incident.plasoUser Account Activity
Seção intitulada “User Account Activity”psort.py -f "username == 'suspect_user'" case.plasoFile Access Timeline
Seção intitulada “File Access Timeline”log2timeline.py -p fswalk case.plaso /evidence
psort.py -f "source_short == 'FILE'" case.plasoNetwork Connection Events
Seção intitulada “Network Connection Events”psort.py -f "source_short == 'EVT' AND message CONTAINS 'network'" case.plasoTroubleshooting
Seção intitulada “Troubleshooting”Check Parser Support
Seção intitulada “Check Parser Support”log2timeline.py --info=parsers | grep -i keywordEnable Debug Logging
Seção intitulada “Enable Debug Logging”log2timeline.py --debug output.plaso /sourceHandle Permission Issues
Seção intitulada “Handle Permission Issues”sudo log2timeline.py -r case.plaso /protected/sourceVerify Output
Seção intitulada “Verify Output”psort.py case.plaso | head -20
file case.plasoBest Practices
Seção intitulada “Best Practices”- Always work from copies: Never analyze original evidence directly
- Document your process: Maintain detailed notes on filters and queries used
- Timezone awareness: Use correct timezone settings for accurate timeline analysis
- Multi-source correlation: Combine logs from multiple sources for better accuracy
- Regular backups: Save critical timeline analysis in multiple formats
- Version control: Track Plaso version used for reproducibility
- Validate results: Cross-reference findings with other forensic tools
Related Tools
Seção intitulada “Related Tools”- Volatility: Memory forensics and analysis
- FTK Imager: Forensic imaging and analysis
- EnCase: Commercial forensic platform
- Autopsy: Digital forensics GUI frontend
- Timeline Explorer: Timeline visualization tool