Difference between pages "Plaso" and "Dfvfs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Created page with "{{Infobox_Software | name = dfvfs | maintainer = Kristinn Gudjonsson, Joachim Metz | os = Linux, Mac OS X, Windows | genre = {{Analysis}} | licen...")
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = plaso |
+
   name = dfvfs |
 
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
 
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
 
   genre = {{Analysis}} |
 
   genre = {{Analysis}} |
 
   license = {{APL}} |
 
   license = {{APL}} |
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
   website = [https://code.google.com/p/dfvfs/ code.google.com/p/dfvfs/] |
 
}}
 
}}
  
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
  
It comes bundled with [[4n6time]], formally "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
dfVFS is currently implemented as a Python module.
  
 
== Supported Formats ==
 
== Supported Formats ==
 +
=== Storage media types ===
 +
* [[Encase image file format]] or EWF (EWF-E01, EWF-Ex01, EWF-S01) using [[libewf]]
 +
* [[Raw Image Format]] or RAW
 +
* [[QCOW Image Format]] or QCOW using [[libqcow]]
 +
* [[Virtual Disk Image (VDI)]] or VHD using [[libvhdi]]
  
=== Image File Formats ===
+
=== Volume systems ===
* [[Raw Image Format]]
+
* using [[sleuthkit]] and [[pytsk]]
 
+
** APM
=== Volume System Formats ===
+
** GPT
 +
** MBR
 
* [[Windows Shadow Volumes]] using [[libvshadow]]
 
* [[Windows Shadow Volumes]] using [[libvshadow]]
  
=== File System Formats ===
+
=== File systems ===
* uses [[sleuthkit]] and [[pytsk]]
+
* using [[sleuthkit]] and [[pytsk]]
 
+
** ext 2, 3, 4  
=== File Formats ===
+
** FAT
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
+
** HFS, HFS+, HFSX
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
** NTFS
* [[Windows Event Log (EVT)]] using [[libevt]]
+
** UFS 1, 2
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Syslog
+
  
 
== History ==
 
== History ==
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [http://code.google.com/p/libyal/ libyal] and other projects.
+
dfVFS originates from the [[plaso|Plaso project]]. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.
  
 
== See Also ==
 
== See Also ==
* [[log2timeline]]
+
* [[plaso]]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
* [https://code.google.com/p/dfvfs/ Project site]
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [http://blog.kiddaland.net/ Project blog]
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+

Revision as of 02:39, 2 January 2014

dfvfs
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/dfvfs/

dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.

dfVFS is currently implemented as a Python module.

Supported Formats

Storage media types

Volume systems

File systems

  • using sleuthkit and pytsk
    • ext 2, 3, 4
    • FAT
    • HFS, HFS+, HFSX
    • NTFS
    • UFS 1, 2

History

dfVFS originates from the Plaso project. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.

See Also

External Links