Difference between pages "Plaso" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Property list (plist) formats)
 
(Created page with "{{Expand}} == External Links == === LZ1 === * [http://andyh.org/LZ1.html LZ1]")
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = plaso |
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Analysis}} |
+
  license = {{APL}} |
+
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
}}
+
 
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
 
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
 
+
== Supported Formats ==
+
The information below is based of version 1.1.0
+
 
+
=== Storage Media Image File Formats ===
+
Storage Medis Image File Format support is provided by [[dfvfs]].
+
 
+
=== Volume System Formats ===
+
Volume System Format support is provided by [[dfvfs]].
+
 
+
=== File System Formats ===
+
File System Format support is provided by [[dfvfs]].
+
 
+
=== File formats ===
+
* Apple System Log (ASL)
+
* Basic Security Module (BSM)
+
* Bencode files
+
* [[Google Chrome|Chrome cache files]]
+
* CUPS IPP
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
+
* Firefox Cache
+
* [[Java|Java IDX]]
+
* MacOS-X Application firewall
+
* MacOS-X Keychain
+
* MacOS-X Securityd
+
* MacOS-X Wifi
+
* ([[SleuthKit]]) mactime logs
+
* McAfee Anti-Virus Logs
+
* Microsoft [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
* [[OLE Compound File]] using [[libolecf]]
+
* [[Opera|Opera Browser history]]
+
* OpenXML
+
* Pcap files
+
* Popularity Contest log
+
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
+
* SELinux audit logs
+
* SkyDrive log and error log files
+
* [[SQLite database format]] using [[SQLite]]
+
* Symantec AV Corporate Edition and Endpoint Protection log
+
* Syslog
+
* UTMP
+
* UTMPX
+
* [[Windows Event Log (EVT)]] using [[libevt]]
+
* Windows Firewall
+
* Windows Job files (also known as "at jobs")
+
* [[Windows Prefetch File Format|Windows Prefetch File format]]
+
* [[Windows#Recycle_Bin|Windows Recycle bin]] (INFO2 and $I/$R)
+
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Xchat and Xchat scrollback files
+
 
+
=== Bencode file formats ===
+
* Transmission
+
* uTorrent
+
 
+
=== ESE database file formats ===
+
* Internet Explorer WebCache format
+
 
+
=== OLE Compound File formats ===
+
* Document summary information
+
* Summary information (top-level only)
+
 
+
=== Property list (plist) formats ===
+
* Airport
+
* Apple Account
+
* Bluetooth
+
* Install History
+
* iPod/iPhone
+
* Mac User
+
* [[Apple Safari|Safari history]]
+
* Software Update
+
* Spotlight
+
* Spotlight Volume Information
+
* Timemachine
+
 
+
=== SQLite database file formats ===
+
* Android call logs
+
* Android SMS
+
* Chrome cookies
+
* [[Google Chrome|Chrome browsing and downloads history]]
+
* [[Mozilla Firefox|Firefox browsing and downloads history]]
+
* Google Drive
+
* Launch services quarantine events
+
* MacKeeper cache
+
* Mac OS X document versions
+
* Skype text conversations
+
* [[Zeitgeist|Zeitgeist activity database]]
+
 
+
=== [[Windows Registry]] formats ===
+
* [[Windows Application Compatibility|AppCompatCache]]
+
* CCleaner
+
* Less Frequently Used
+
* MountPoints2
+
* MRUList and MRUListEx (no shell item support)
+
* [[Internet Explorer|MSIE Zones]]
+
* Office MRU
+
* Outlook Search
+
* Run Keys
+
* Services
+
* Terminal Server MRU
+
* Typed URLS
+
* USBStor
+
* UserAssist
+
* WinRar
+
* Windows version information
+
 
+
== History ==
+
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]], [[dfvfs]] and various other projects.
+
 
+
== See Also ==
+
* [[dfvfs]]
+
* [[log2timeline]]
+
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
=== LZ1 ===
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [http://andyh.org/LZ1.html LZ1]
* [http://blog.kiddaland.net/ Project blog]
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+

Revision as of 02:07, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

LZ1