Forensicsforensicstimelinesuper-timelinelog2timelineplasodfvfsartifacts

plaso

Plaso is a Python-based back-end engine for creating super timelines from various log files and forensic artifacts. It enables forensic investigators to parse and correlate information from computer systems and network equipment into a single timeline for analysis.

Description

Plaso (plaso langar að safna öllu) provides a single toolset to parse diverse log files and forensic artifacts, producing a correlated super timeline. This speeds up investigations by consolidating vast amounts of data from average computer systems into an easily analyzable format. The metapackage 'plaso' depends on the Python 3 package, while 'python3-plaso' contains the core libraries and scripts.

Key use cases include digital forensics investigations where analysts need to timeline events across storage media images, directories, or devices. Tools like log2timeline extract events recursively, supporting archives, VSS stores, and various parsers. plaso-image_export exports files from images including VSS, plaso-pinfo shows storage file details, plaso-psort filters and processes output, and plaso-psteal builds timelines directly to CSV.

The ecosystem relies on extensive dependencies for parsing formats like EWF, NTFS, APFS, registry hives, event logs, and more, making it comprehensive for Windows, macOS, and Linux artifacts.

How It Works

Plaso operates as a backend engine using Python libraries to parse forensic artifacts and logs via specialized parsers (e.g., libevtx for Windows Event Logs, libfsntfs for NTFS). log2timeline recursively processes sources like disk images or directories, extracting events into a storage file (default SQLite format). Events include timestamps, sources, and metadata, correlated into a super timeline. Storage files can be analyzed with psort for filtering/time-slicing, pinfo for metadata, or exported via image_export. Supports VSS, archives (tar/zip), YARA rules, hashers, and artifact filters for targeted collection.

Installation

bash

sudo apt install plaso

Flags

--troublesShow troubleshooting information.

-V, --versionShow the version information.

-d, --debugEnable debug output.

-q, --quietDisable informational output.

-u, --unattendedEnable unattended mode and do not ask the user for additional input when needed, but terminate with an error instead.

--artifact_definitions PATHPath to artifact definitions.

--archives TYPESDefine a list of archive and storage media image types for which to process embedded file entries.

--vss_stores VSS_STORESSpecify VSS stores to process.

--slice DATE_TIMEDate and time to create a time slice around.

--analysis PLUGIN_LISTA comma separated list of analysis plugin names to be loaded.

Examples

Run the tool against a storage media image (full kitchen sink).

log2timeline.py /cases/mycase/storage.plaso ímynd.dd

Indicate some of the options on the command line (including data from particular VSS stores).

log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01

Build a timeline using psteal from a source image to a text file.

psteal.py --source ímynd.dd -w imynd.timeline.txt

Export files inside an image, both within a regular RAW image as well as inside a VSS.

plaso-image_export IMAGE

Shows information about a Plaso storage file, for example how it was collected.

plaso-pinfo PATH

Read, filter and process output from a Plaso storage file including all events.

plaso-psort -a -o FORMAT -w OUTPUT_FILE INPUT

Print out information about supported plugins and parsers.

plaso-log2timeline --info

Updated 2026-04-16kali.org ↗