Difference between pages "Barnyard2" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (File formats)
 
Line 1: Line 1:
==About ==
+
{{Infobox_Software |
Barnyard2 is an open source interpreter for Snort unified2 binary output files.
+
  name = plaso |
Its primary use is allowing Snort to write to disk in an efficient manner and
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
leaving the task of parsing binary data into various formats to a separate
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
process that will not cause Snort to miss network traffic.
+
  genre = {{Analysis}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 +
}}
  
Barnyard2 has 3 modes of operation:
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  1. batch (or one-shot),
+
  2. continual, and
+
  3. continual w/ bookmark.
+
  
In batch (or one-shot) mode, barnyard2 will process the explicitly specified
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
file(s) and exit.
+
  
In continual mode, barnyard2 will start with a location to look and a specified
+
== Supported Formats ==
file pattern and continue to process new data (and new spool files) as they
+
appear.
+
  
Continual mode w/ bookmarking will also use a checkpoint file (or waldo file in
+
=== Storage Media Image File Formats ===
the snort world) to track where it is. In the event the barnyard2 process ends
+
Storage Medis Image File Format support is provided by [[dfvfs]].
while a waldo file is in use, barnyard2 will resume processing at the last
+
entry as listed in the waldo file.
+
  
The "-f", "-w", and "-o" options are used to determine which mode barnyard2
+
=== Volume System Formats ===
will run in.  It is legal for both the "-f" and "-w" options to be used on the
+
Volume System Format support is provided by [[dfvfs]].
command line at the same time, however any data that exists in the waldo file
+
will override the command line data from the "-f" and "-d" options. See the
+
command directives section below for more detail.
+
  
Barnyard2 processing is controlled by two main types of directives: input
+
=== File System Formats ===
processors and output plugins. The input processors read information in from a
+
File System Format support is provided by [[dfvfs]].
specific format ( currently the spo_unified2 output module of Snort ) and
+
output them in one of several ways.[https://github.com/firnsy/barnyard2/]
+
  
==History ==
+
=== File formats ===
Barnyard is a critical tool for the parsing of Snort's unified binary files, processing and on-forwarding to a variety of output plugins. Unfortunately it has not seen an updated in over 4 years and is not going to be maintained by the original developers. With the new version of the unified format (ie. unified2) arriving we need something to bridge this gap.
+
<b>TODO expand this list</b>
To quote directly from the Snort FAQ:
+
* "Barnyard is an output system for Snort. Snort creates a special binary output format called unified. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plug-in, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again."
+
  
The SXL team love barnyard. So much so that we want it to stay and have been tinkering around with the code to give it a breath of new life. Here is what we have achieved to far for this reinvigorated code base:
+
* Apple System Log (ASL)
Parsing of the new unified2 log files.
+
* Basic Security Module (BSM)
*Maintaining majority of the command syntax of barnyard.
+
* Bencode files
*Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
+
* [[Google Chrome|Chrome cache files]]
*Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
 +
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* Java IDX
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
 +
* SQLite databases
 +
* Syslog
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
  
== References ==
+
=== Bencode file formats ===
All information on this page is referenced to [http://www.securixlive.com/barnyard2/about.php securixlive.com] where further information about Barnyard can be found.
+
* Transmission
<references />
+
* uTorrent
 +
 
 +
=== ESE database file formats ===
 +
* Internet Explorer WebCache format
 +
 
 +
=== OLE Compound File formats ===
 +
* Document summary information
 +
* Summary information (top-level only)
 +
 
 +
=== Property list (plist) formats ===
 +
<b>TODO expand this list</b>
 +
* Airport
 +
* Apple Account
 +
* iPod/iPhone
 +
* Install History
 +
* Mac User
 +
* Software Update
 +
* Spotlight
 +
* Spotlight Volume Information
 +
* Timemachine
 +
 
 +
=== SQLite database file formats ===
 +
* Android call logs
 +
* Android SMS
 +
* Chrome cookies
 +
* Chrome browsing and downloads history
 +
* Firefox browsing and downloads history
 +
* Google Drive
 +
* Launch services quarantine events
 +
* MacKeeper
 +
* Mac OS X document versions
 +
* Skype
 +
* Zeitgeist activity
 +
 
 +
=== Windows Registry formats ===
 +
<b>TODO expand this list</b>
 +
* AppCompatCache
 +
* CCleaner
 +
* MountPoints2
 +
* MSIE Zone
 +
* MSIE Zone Software
 +
 
 +
== History ==
 +
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]], [[dfvfs]] and various other projects.
 +
 
 +
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/plaso/ Project site]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
 +
* [http://blog.kiddaland.net/ Project blog]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]

Revision as of 03:39, 3 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

TODO expand this list

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)

Property list (plist) formats

TODO expand this list

  • Airport
  • Apple Account
  • iPod/iPhone
  • Install History
  • Mac User
  • Software Update
  • Spotlight
  • Spotlight Volume Information
  • Timemachine

SQLite database file formats

  • Android call logs
  • Android SMS
  • Chrome cookies
  • Chrome browsing and downloads history
  • Firefox browsing and downloads history
  • Google Drive
  • Launch services quarantine events
  • MacKeeper
  • Mac OS X document versions
  • Skype
  • Zeitgeist activity

Windows Registry formats

TODO expand this list

  • AppCompatCache
  • CCleaner
  • MountPoints2
  • MSIE Zone
  • MSIE Zone Software

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal, dfvfs and various other projects.

See Also

External Links