Difference between revisions of "Plaso"
Joachim Metz (Talk | contribs) |
Joachim Metz (Talk | contribs) (→File System Formats) |
||
| Line 19: | Line 19: | ||
=== File System Formats === | === File System Formats === | ||
| − | * uses [[sleuthkit]] and [[ | + | * uses [[sleuthkit]] and [[pystk]] |
=== File Formats === | === File Formats === | ||
Revision as of 05:56, 10 May 2013
| plaso | |
|---|---|
| Maintainer: | Kristinn Gudjonsson, Joachim Metz, Eric Mak, David Nides |
| OS: | Linux, Mac OS X, Windows |
| Genre: | Analysis |
| License: | APL |
| Website: | code.google.com/p/plaso/ |
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Contents |
Supported Formats
Image File Formats
Volume System Formats
File System Formats
File Formats
- Internet Explorer History File Format (also known as MSIE 4-9 Cache Files or index.dat) using libmsiecf
- Windows Event Log (EVT) using libevt
- Windows NT Registry File (REGF) using libregf
- Windows Shortcut File (LNK) format using liblnk
- Windows XML Event Log (EVTX) using libevtx
- Syslog
History
Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit and libyal.
It comes bundled with 4n6time, formally "l2t_Review", a cross-platform forensic tool for timeline creation and review, by David Nides.
