Difference between pages "Dfvfs" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(Image File Formats)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = dfvfs |
+
   name = plaso |
 
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 
   maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
 
   os = [[Linux]], [[Mac OS X]], [[Windows]] |
 
   genre = {{Analysis}} |
 
   genre = {{Analysis}} |
 
   license = {{APL}} |
 
   license = {{APL}} |
   website = [https://code.google.com/p/dfvfs/ code.google.com/p/dfvfs/] |
+
   website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 
}}
 
}}
  
dfVFS, or Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
dfVFS is currently implemented as a Python module.
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
 
== Supported Formats ==
 
== Supported Formats ==
=== Storage media types ===
 
* [[Encase image file format]] or EWF (EWF-E01, EWF-Ex01, EWF-S01) using [[libewf]]
 
* [[Raw Image Format]] or RAW using Python
 
* [[QCOW Image Format]] or QCOW using [[libqcow]]
 
* Storage media devices using [[libsmdev]]
 
* [[Virtual Disk Image (VDI)]] or VHD using [[libvhdi]]
 
* [[VMWare Virtual Disk Format (VMDK)]] using [[libvmdk]]
 
  
=== Volume systems ===
+
=== Storage Media Image File Formats ===
* using [[sleuthkit]] and [[pytsk]]
+
Storage Medis Image File Format support is provided by [[dfvfs]].
** [[APM]]
+
** [[GPT]]
+
** [[MBR]]
+
* [[Windows Shadow Volumes]] or VSS using [[libvshadow]]
+
  
=== File systems ===
+
=== Volume System Formats ===
* using [[sleuthkit]] and [[pytsk]]
+
Volume System Format support will be moved to [[dfvfs]].
** [[Extended File System (Ext)]] version 2, 3, 4
+
* [[Windows Shadow Volumes]] using [[libvshadow]]
** [[FAT]]
+
 
** [[HFS+|HFS, HFS+, HFSX]]
+
=== File System Formats ===
** [[New Technology File System (NTFS)]] version 3
+
File System Format support will be moved to [[dfvfs]].
** [[Unix File System (UFS)]] version 1, 2
+
* uses [[sleuthkit]] and [[pytsk]]
 +
 
 +
=== File Formats ===
 +
* [[Property list (plist)|Binary property list (plist) format]] using [[binplist]]
 +
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
 +
* Syslog
  
 
== History ==
 
== History ==
dfVFS originates from the [[plaso|Plaso project]]. It was largely rewritten and made into a stand-alone project to provide more flexibility and allow other projects to make use of the VFS functionality. dfVFS originally was named PyVFS, but that name conflicted with another project.
+
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]] and other projects.
  
 
== See Also ==
 
== See Also ==
* [[plaso]]
+
* [[dfvfs]]
 +
* [[log2timeline]]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/dfvfs/ Project site]
+
* [https://code.google.com/p/plaso/ Project site]
* [https://code.google.com/p/dfvfs/wiki/dfvfs Developing Python code using dfvfs]
+
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
 +
* [http://blog.kiddaland.net/ Project blog]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]

Revision as of 02:16, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support will be moved to dfvfs.

File System Formats

File System Format support will be moved to dfvfs.

File Formats

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal and other projects.

See Also

External Links