Difference between pages "Caselaw" and "Plaso"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Further Information)
 
(File formats)
 
Line 1: Line 1:
The legal information below is not legal advice. You should consult a lawyer if you want professional assurance that this information, and your interpretation of it, is appropriate to your situation.
+
{{Infobox_Software |
 +
  name = plaso |
 +
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
 +
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
 +
}}
  
The following are highlights of important cases to digital forensics and electronic discovery.
+
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
  
==Court Decisions==
+
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
  
'''United States v. Warshak, 631 F.3d 266 (6th Cir. Dec. 14, 2010)'''<br />
+
== Supported Formats ==
The Sixth Circuit Court of Appeals ruled that the government must have a search warrant before it can seize and search emails held by email service providers. "Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection..." [https://www.eff.org/files/warshak_opinion_121410.pdf]
+
The information below is based of version 1.1.0
  
'''Binary Semantics Ltd. v. Minitab, Inc., Case No. 07‐1750 (M.D. Pa. May 5, 2008)'''<br />
+
=== Storage Media Image File Formats ===
In 2008, a district court agreed that a forensic image of an entire FTP server was "overly‐broad and intrusive,” allowing the defendants only authorization for “a forensic copy of the relevant folders on [the] FTP server."
+
Storage Medis Image File Format support is provided by [[dfvfs]].
  
'''Harkabi v. Sandisk Corp., 2010 U.S. Dist. LEXIS 87843 (S.D.N.Y. Aug. 23, 2010)'''<br />
+
=== Volume System Formats ===
Electronic discovery requires litigants to scour disparate data storage mediums and formats for potentially relevant documents. That undertaking involves dueling considerations: thoroughness and cost.
+
Volume System Format support is provided by [[dfvfs]].
  
'''United States v. Scott‐Emuakpor, 2000 U.S. Dist. LEXIS 3118 (W.D. Mich. 2000)'''<br />
+
=== File System Formats ===
The court was satisfied with a third‐party collecting the forensic data as long as it was accompanied by "the testimony of a witness who was present and observed the procedure by which the documents were obtained from Defendant's computers."
+
File System Format support is provided by [[dfvfs]].
  
'''Griffin v. State, 2010 Md. App. LEXIS 87 (Md. Ct. Spec. App. May 27, 2010)'''<br />
+
=== File formats ===
Social media profiles on MySpace or Facebook could be authenticated circumstantially by their content and context in the same manner as other forms of electronic communications.
+
* Apple System Log (ASL)
 +
* Basic Security Module (BSM)
 +
* Bencode files
 +
* [[Google Chrome|Chrome cache files]]
 +
* CUPS IPP
 +
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
 +
* Firefox Cache
 +
* Java IDX
 +
* MacOS-X Application firewall
 +
* MacOS-X Keychain
 +
* MacOS-X Securityd
 +
* MacOS-X Wifi
 +
* ([[SleuthKit]]) mactime logs
 +
* McAfee Anti-Virus Logs
 +
* Microsoft [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
 +
* [[OLE Compound File]] using [[libolecf]]
 +
* [[Opera|Opera Browser history]]
 +
* OpenXML
 +
* Pcap files
 +
* Popularity Contest log
 +
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
 +
* SELinux audit logs
 +
* SkyDrive log and error log files
 +
* [[SQLite database format]] using [[SQLite]]
 +
* Symantec AV Corporate Edition and Endpoint Protection log
 +
* Syslog
 +
* UTMP
 +
* UTMPX
 +
* [[Windows Event Log (EVT)]] using [[libevt]]
 +
* Windows Firewall
 +
* Windows Job files (also known as "at jobs")
 +
* Windows Prefetch files
 +
* Windows Recycle bin (INFO2 and $I/$R)
 +
* [[Windows NT Registry File (REGF)]] using [[libregf]]
 +
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
 +
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
 +
* Xchat and Xchat scrollback files
  
'''State v. Rivas, 2007 Ohio App. LEXIS 3299 (Ohio Ct. App. Jul. 13, 2007)'''<br />
+
=== Bencode file formats ===
The court overturned the conviction of the defendant due to the fact that an ''[http://en.wikipedia.org/wiki/In_camera in camera]'' review of the police department's computer was not performed, which would have verified that accuracy of the transcripts that were recorded from a chat room and subsequently used against the defendant.
+
* Transmission
 +
* uTorrent
  
'''Fenje v. Feld, 2003 U.S. Dist. LEXIS 24387 (N.D. Ill., Dec. 8, 2003)'''<br />
+
=== ESE database file formats ===
The authentication of email messages presented in support of a summary judgement motion was at the core of this wrongful termination case. The court found that email messages may be authenticated as being from the suspected author based on the following factors:
+
* Internet Explorer WebCache format
* The email address from which it was sent
+
* An affidavit of the recipient
+
* Comparison of the content of the email with other evidence
+
* Other communication from the suspected author acknowledging the email message in question
+
  
'''U.S. v. Cameron, 2010 WL 3238326 (U.S. District Court for the District of Maine 2010)''' (on-going)<br />
+
=== OLE Compound File formats ===
Yahoo! detected child pornography and reported it to the NCMEC, and Cameron expected the Government to produce as witnesses the Yahoo! technician who collected the evidence. The judge noted that at trial the "Government need not call each of the technicians who did the search so long as it" presented a witness who can "explain and be cross-examined concerning the manner in which the records are made and kept." Further, the Judge ordered that the Government is not obligated to turn over evidence that it does not possess (e.g. "the original or a copy of the Yahoo! photo server and server files" or "the physical location of the original server files")
+
* Document summary information
 +
* Summary information (top-level only)
  
'''Krumwiede v. Brighton Associates, LLC, 2006 WL 1308629 (N.D. Ill. May 8, 2006)'''
+
=== Property list (plist) formats ===
Default judgment granted for deleting, altering and accessing electronic data despite litigation hold. Plaintiff deleted file with a combination of "deliberate movement of file data, admitted deletion activities, multiple use of defrag, use of ZIP file to conceal or transport [the defendants'] data, [and use of] multiple USB devices [to] intend to destroy evidence." Summary judgment against plaintiff for interfering with the discovery process.
+
* Airport
 +
* Apple Account
 +
* Bluetooth
 +
* Install History
 +
* iPod/iPhone
 +
* Mac User
 +
* Safari history
 +
* Software Update
 +
* Spotlight
 +
* Spotlight Volume Information
 +
* Timemachine
  
== Further Information ==
+
=== SQLite database file formats ===
* [http://www.setecinvestigations.com/resources/casesummaries.php http://www.setecinvestigations.com/resources/casesummaries.php]
+
* Android call logs
* [http://www.iediscovery.com/resources/lawlibrary http://www.iediscovery.com/resources/lawlibrary]
+
* Android SMS
* [https://extranet1.klgates.com/ediscovery/Search.aspx https://extranet1.klgates.com/ediscovery/Search.aspx]
+
* Chrome cookies
 +
* [[Google Chrome|Chrome browsing and downloads history]]
 +
* [[Mozilla Firefox|Firefox browsing and downloads history]]
 +
* Google Drive
 +
* Launch services quarantine events
 +
* MacKeeper cache
 +
* Mac OS X document versions
 +
* Skype text conversations
 +
* [[Zeitgeist|Zeitgeist activity database]]
  
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-1-4/ How to Evaluate a Digital Forensic Report – Part 1: A Brief History of Digital Forensics], by Daniel B. Garrie, January 31, 2014
+
=== [[Windows Registry]] formats ===
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-2-4/ How to Evaluate a Digital Forensic Report – Part 2: Daubert], by Daniel B. Garrie, February 4, 2014
+
* [[Windows Application Compatibility|AppCompatCache]]
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-3-4/ How to Evaluate a Digital Forensic Report – Part 3: Experts], by Daniel B. Garrie, February 10, 2014
+
* CCleaner
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-4-4/ How to Evaluate a Digital Forensic Report – Part 4 & Conclusion], by Daniel B. Garrie, February 14, 2014
+
* Less Frequently Used
 +
* MountPoints2
 +
* MRUList and MRUListEx (no shell item support)
 +
* [[Internet Explorer|MSIE Zones]]
 +
* Office MRU
 +
* Outlook Search
 +
* Run Keys
 +
* Services
 +
* Terminal Server MRU
 +
* Typed URLS
 +
* USBStor
 +
* UserAssist
 +
* WinRar
 +
* Windows version information
  
[[Category:Law]]
+
== History ==
 +
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]], [[dfvfs]] and various other projects.
 +
 
 +
== See Also ==
 +
* [[dfvfs]]
 +
* [[log2timeline]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/plaso/ Project site]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
 +
* [http://blog.kiddaland.net/ Project blog]
 +
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]

Revision as of 01:48, 4 June 2014

plaso
Maintainer: Kristinn Gudjonsson, Joachim Metz
OS: Linux, Mac OS X, Windows
Genre: Analysis
License: APL
Website: code.google.com/p/plaso/

Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.

The Plaso project site also provides 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by David Nides.

Supported Formats

The information below is based of version 1.1.0

Storage Media Image File Formats

Storage Medis Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)

Property list (plist) formats

  • Airport
  • Apple Account
  • Bluetooth
  • Install History
  • iPod/iPhone
  • Mac User
  • Safari history
  • Software Update
  • Spotlight
  • Spotlight Volume Information
  • Timemachine

SQLite database file formats

Windows Registry formats

  • AppCompatCache
  • CCleaner
  • Less Frequently Used
  • MountPoints2
  • MRUList and MRUListEx (no shell item support)
  • MSIE Zones
  • Office MRU
  • Outlook Search
  • Run Keys
  • Services
  • Terminal Server MRU
  • Typed URLS
  • USBStor
  • UserAssist
  • WinRar
  • Windows version information

History

Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson. Plaso builds upon the SleuthKit, libyal, dfvfs and various other projects.

See Also

External Links