Difference between pages "CAINE Live CD" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(OLE Compound File formats)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = CAINE Live CD |
+
   name = plaso |
   maintainer = [[CAINE Project]] |
+
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
   os = {{Linux}} |
+
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
   genre = {{Live CD}} |
+
   genre = {{Analysis}} |
   license = {{GPL}}, others |
+
   license = {{APL}} |
   website = [http://www.caine-live.net/] |
+
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 
}}
 
}}
  
'''CAINE Live CD''' (Computer Aided Investigative Environment) is a forensic [[Live CD]] built on top of Ubuntu.
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
== CAINE 2.0 ==
+
  
September 2010
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
CHANGELOG CAINE 2.0 "NewLight"
+
== Supported Formats ==
  
Kernel 2.6.32-24
+
=== Storage Media Image File Formats ===
 +
Storage Medis Image File Format support is provided by [[dfvfs]].
  
ADDED:
+
=== Volume System Formats ===
Air 2.0.0
+
Volume System Format support is provided by [[dfvfs]].
MountManager
+
Disk Utility
+
Storage Device Manager
+
SSdeep
+
ByteInvestigator
+
DMIdecode
+
HDSentinel
+
WVSummary
+
Read_open_Xml
+
Fiwalk
+
Bulk Extractor
+
Log2Timeline
+
Midnight Commander
+
SQLJuicer
+
CDFS 2.6.27
+
Nautilus Scripts
+
Fake Casper patch
+
Manual updated
+
  
 +
=== File System Formats ===
 +
File System Format support is provided by [[dfvfs]].
  
'''Live Preview Nautilus Scripts'''
+
=== File formats ===
CAINE includes scripts activated within the Nautilus web browser designed to make examination of allocated files simple. Currently, the scripts can render many databases, internet histories, Windows registries, deleted files, and extract EXIF data to text files for easy examination. The Quick View tool automates this process by determining the file type and rendering with the appropriate tool.
+
<b>TODO expand this list</b>
The live preview Nautilus scripts also provide easy access to administrative functions, such as making an attached device writeable, dropping to the shell, or opening a Nautilus window with administrator privileges. The "Save as Evidence" script will write the selected file(s) to an "Evidence" folder on the desktop and create a text report about the file containing file metadata and an investigator comment, if desired.
+
A unique script, "Identify iPod Owner", is included in the toolset. This script will detect an attached and mounted iPod Device, display metadata about the device (current username, device serial number, etc.). The investigator has the option to search allocated media files and unallocated space for iTunes user information present in media purchased through the Apple iTunes store, i.e., Real Name and email address.
+
The live preview scripts are a work in progress. Many more scripts are possible as are improvements to the existing scripts. The CAINE developers welcome feature requests, bug reports, and critiques.
+
The preview scripts were born of a desire to make evidence extraction simple for any investigator with basic computer skills. They allow the investigator to get basic evidence to support the investigation without the need of advanced computer forensics training or waiting upon a computer forensics lab. Computer forensics labs can used the scripts for device triage and the remainder of the CAINE toolset for a full forensic examination!
+
by John Lehr
+
------------------------------------------
+
'''CASPER PATCH (not for NBCaine 2.0)'''
+
The patch changes the way how Casper searches for the boot media. By default, Casper will look at hard disk drives, CD/DVD-drives and some other devices while booting the system (during the stage when system tries to find the boot media with correct root file system image on it - because common bootloaders do not pass any data about media used for booting to an operating system in Live CD configurations). Our patch is implemented for CD/DVD versions of CAINE and enables CD/DVD-only checks in Casper. This solves the bug when Casper would select and boot fake root file system images on evidentiary media (hard disk drives, etc). ---
+
by Suhanov Maxim
+
  
 +
* Apple System Log (ASL)
 +
* Basic Security Module (BSM)
 +
* Bencode files
 +
* [[Google Chrome|Chrome cache files]]
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
 +
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
 +
* SQLite databases
 +
* Syslog
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
  
 +
=== Bencode file formats ===
 +
* Transmission
 +
* uTorrent
  
== CAINE 1.5 ==
+
=== ESE database file formats ===
As of December 2009, the current version of [http://www.caine-live.net/ Caine] is 1.5. According to documentation, it is based on [http://releases.ubuntu.com/8.04/ Ubuntu 8.04]. Unlike the [[Helix]] project, Caine is free, freely redistributable, and open-source. CAINE 1.5 supports the Oxford 934dsb SATA chipset, used in (among other devices) the Voyager Q SATA dock from Newer Technologies.
+
* Internet Explorer WebCache format
  
== Forensic Issues ==
+
=== OLE Compound File formats ===
 +
* Document summary information
 +
* Summary information (top-level only)
  
* CAINE Live CD versions before 1.0 will automount [[Ext3]] file systems during the boot process and recover them if required (bug in ''initrd'' scripts);
+
=== Property list (plist) formats ===
* '''CAINE Live CD version 1.0 introduced new mounting policies''':
+
  
- The mounting policy for any internal or external devices adopted by CAINE: never mount automatically any device and when the user clicks on the device icon the system will mount it in read-only mode on a read-only loopback device.
+
=== SQLite database file formats ===
 +
* Android call logs
 +
* Android SMS
 +
* Chrome cookies
 +
* Chrome browsing and downloads history
 +
* Firefox browsing and downloads history
 +
* Google Drive
 +
* Launch services quarantine events
 +
* MacKeeper
 +
* Mac OS X document versions
 +
* Skype
 +
* Zeitgeist activity
  
- If a user decides to mount a device via terminal, he can use the “mount” command but all the mount options must be specified.
+
=== Windows Registry formats ===
 +
<b>TODO expand this list</b>
  
- The ext3 driver will be ignored when ext3 file systems are mounted and the ext2 driver used instead. This protects any ext3 file systems from a forensic point-of-view. Ext2 does not use journaling, so when an ext3 file system is mounted, there is no danger of modifying the journal metadata.
+
== History ==
 +
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
  
- By applying a special patch CAINE team fixed the bug that changed the journal of the ext3 file systems when the computer was switched off by pulling the plug.
+
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
  
- Fixed in the fstab: forbidding the auto-mounting of the MMCs and put a control for the "exotic names" like /dev/sdad1.
+
== External Links ==
 
+
* [https://code.google.com/p/plaso/ Project site]
- If the user wants to mount and write on an NTFS media should instead use the "ntfs-3g" command (e.g., $ sudo ntfs-3g /dev/sda1 /media/sda1).
+
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
 
+
* [http://blog.kiddaland.net/ Project blog]
    # ntfs-3g /device-path /your-mount-point
+
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]

Revision as of 02:32, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

TODO expand this list

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)

Property list (plist) formats

SQLite database file formats

  • Android call logs
  • Android SMS
  • Chrome cookies
  • Chrome browsing and downloads history
  • Firefox browsing and downloads history
  • Google Drive
  • Launch services quarantine events
  • MacKeeper
  • Mac OS X document versions
  • Skype
  • Zeitgeist activity

Windows Registry formats

TODO expand this list

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal and other projects.

See Also

External Links