Difference between pages "Mac OS X" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Burn Folder)
 
m (File formats)
 
Line 1: Line 1:
{{Expand}}
+
{{Infobox_Software |
 +
  name = plaso |
 +
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 +
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 +
}}
  
Apple Inc.'s Macintosh OS X (pronounced "'''OS Ten'''") is the operating system distributed with Apple computers. It includes heavily used several programs by default, including [[Apple Mail]], a web browser called [[Apple Safari | Safari]], and an [[Apple Address Book]], and [[iCal]].  
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
== Burn Folder ==
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
Mac OS X Burn Folder:
+
== Supported Formats ==
<pre>
+
$NAME.fpbf
+
</pre>
+
  
This folder normally contains [[Mac OS X Alias Files|alias files]] (similar to LNK files under Windows). Which should have the following signature.
+
=== Storage Media Image File Formats ===
<pre>
+
Storage Medis Image File Format support is provided by [[dfvfs]].
00000000  62 6f 6f 6b 00 00 00 00  6d 61 72 6b 00 00 00 00  |book....mark....|
+
</pre>
+
  
These [[Mac OS X Alias Files|alias files]] contain additional date and time values.
+
=== Volume System Formats ===
 +
Volume System Format support is provided by [[dfvfs]].
  
Also check: ~/Library/Preferences/com.apple.finder.plist
+
=== File System Formats ===
For references to deleted .fpbf paths.
+
File System Format support is provided by [[dfvfs]].
  
Actual burning of optical media is logged in:
+
=== File formats ===
/var/log/system.log
+
<b>TODO expand this list</b>
/Users/$USERNAME/Library/Logs/DiscRecording.log
+
/private/var/.logs_exporter/cache/Users/$USERNAME/Library/Logs/DiscRecording.log
+
  
== HFS/HFS+ date and time values ==
+
* Apple System Log (ASL)
 +
* Basic Security Module (BSM)
 +
* Bencode files
 +
* [[Google Chrome|Chrome cache files]]
 +
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]using [[libesedb]]
 +
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* SQLite databases
 +
* Syslog
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
  
In HFS+ date and time values are stored in an unsigned 32-bit integer containing the number of seconds since January 1, 1904 at 00:00:00 (midnight) UTC (GMT). This is slightly different from HFS where the date and time value are stored using the local time. The maximum representable date is February 6, 2040 at 06:28:15 UTC (GMT). The date values do not account for leap seconds. They do include a leap day in every year that is evenly divisible by four. This is sufficient given that the range of representable dates does not contain 1900 or 2100, neither of which have leap days.
+
=== Bencode file formats ===
 +
* Transmission
 +
* uTorrent
  
Converting HFS/HFS+ date and time values with Python:
+
=== ESE database file formats ===
<pre>
+
<b>TODO expand this list</b>
import datetime
+
  
print datetime.datetime( 1904, 1, 1 ) + datetime.timedelta( seconds=0xCBDAF25B )
+
=== OLE Compound File formats ===
</pre>
+
<b>TODO expand this list</b>
  
== Quarantine event database ==
+
=== SQLite database file formats ===
See [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/]
+
<b>TODO expand this list</b>
  
Snow Leopard and earlier
+
=== Windows Registry formats ===
<pre>
+
<b>TODO expand this list</b>
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEvents
+
</pre>
+
  
<pre>
+
== History ==
SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;
+
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
</pre>
+
  
Lion and later
+
== See Also ==
<pre>
+
* [[dfvfs]]
/Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
+
* [[log2timeline]]
</pre>
+
 
+
== Package Files (.PKG) ==
+
Package Files (.PKG) are XAR archives [http://en.wikipedia.org/wiki/Xar_(archiver)] that contain a cpio archive and metadata [http://s.sudre.free.fr/Stuff/Ivanhoe/FLAT.html].
+
 
+
== Also see ==
+
* [[MacOS Process Monitoring]]
+
* [[Acquiring a MacOS System with Target Disk Mode]]
+
* [[Converting Binary Plists]]
+
* [[FileVault Disk Encryption]]
+
* [[File Vault]]
+
  
 
== External Links ==
 
== External Links ==
 
+
* [https://code.google.com/p/plaso/ Project site]
* [http://www.apple.com/macosx/ Official website]
+
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
* [http://en.wikipedia.org/wiki/OS_X Wikipedia entry on OS X]
+
* [http://blog.kiddaland.net/ Project blog]
* [http://menial.co.uk/blog/2011/06/16/mac-quarantine-event-database/ Quarantine event database]
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
* [http://www2.tech.purdue.edu/cit/Courses/cit556/readings/MacForensicsCraiger.pdf Mac Forensics: Mac OS X and the HFS+ File System] by P. Craiger
+
 
+
=== Apple Examiner ===
+
* [http://www.appleexaminer.com/ The Apple Examiner]
+
* [http://www.appleexaminer.com/MacsAndOS/Analysis/USBOSX/USBOSX.html USB Entries on OS X]
+
* [http://www.appleexaminer.com/Downloads/MacForensics.pdf Macintosh Forensics - A Guide for the Forensically Sound Examination of a Macintosh Computer] by Ryan R. Kubasiak
+
 
+
[[Category:Mac OS X]]
+
[[Category:Operating systems]]
+

Revision as of 03:26, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

TODO expand this list

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

TODO expand this list

OLE Compound File formats

TODO expand this list

SQLite database file formats

TODO expand this list

Windows Registry formats

TODO expand this list

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal and other projects.

See Also

External Links