Convert Figma logo to code with AI

log2timeline logoplaso

Super timeline all the things

1,696
334
1,696
285
View on GitHub

Top Related Projects

google's avatar

grr

4,747

GRR Rapid Response: remote live forensics for incident response

sleuthkit's avatar

autopsy

2,356

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

volatilityfoundation's avatar

volatility

7,169

An advanced memory forensics framework

dfir-iris's avatar

iris-web

1,026

Collaborative Incident Response platform

ForensicArtifacts's avatar

artifacts

1,034

Digital Forensics artifact repository

Quick Overview

Plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the log2timeline tool. It's designed for automatic creation of super timelines, providing a single timeline of events from various log files and artifacts found on computer systems. Plaso is used in digital forensics and incident response to analyze system activity over time.

Pros

  • Supports a wide range of file formats and artifacts
  • Highly extensible through plugins and parsers
  • Capable of processing large volumes of data efficiently
  • Integrates well with other forensic tools and workflows

Cons

  • Steep learning curve for beginners
  • Documentation can be complex and sometimes outdated
  • Performance can be slow on older hardware or with very large datasets
  • Requires significant system resources for processing large volumes of data

Code Examples

# Initialize the storage writer and processor
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
    storage_format, path)
knowledge_base = knowledge_base.KnowledgeBase()
processor = engine.ProcessingEngine(storage_writer, knowledge_base)

# Add a path to be processed
path_spec = path_spec_factory.Factory.NewPathSpec(
    dfvfs_definitions.TYPE_INDICATOR_OS, location=source_path)
processor.ProcessSources([path_spec])

# Start processing
processor.Start()
processor.Wait()
processor.SignalAbort()

This example shows how to initialize the Plaso processing engine and process a source path.

# Create a storage reader
storage_reader = storage_factory.StorageFactory.CreateStorageReader(storage_path)

# Create an output module
output_mediator = output_mediator.OutputMediator(
    knowledge_base_object=knowledge_base,
    data_location=data_location)
output_module = output_manager.OutputManager.NewOutputModule(
    output_format,
    output_mediator)

# Extract events
with output_module:
    event_object = storage_reader.GetNextEvent()
    while event_object:
        output_module.WriteEventBody(event_object)
        event_object = storage_reader.GetNextEvent()

This example demonstrates how to read events from a Plaso storage file and write them using an output module.

Getting Started

  1. Install Plaso:

    pip install plaso

  2. Process a source and create a storage file:

    log2timeline.py timeline.plaso /path/to/evidence

  3. Generate a report from the storage file:

    psort.py -o l2tcsv -w timeline.csv timeline.plaso

These steps will install Plaso, process a source directory or file, and generate a CSV report of the timeline.

Competitor Comparisons

google logo

grr

4,747

GRR Rapid Response: remote live forensics for incident response

Pros of GRR

  • Designed for remote live forensics and incident response
  • Supports scalable fleet-wide investigations
  • Offers a user-friendly web interface for investigations

Cons of GRR

  • Requires agent installation on target systems
  • More complex setup and maintenance
  • Primarily focused on Windows systems

Code Comparison

GRR (Python):

class GRRClientAction(actions.ActionPlugin):
  in_rdfvalue = None
  out_rdfvalues = [rdfvalue.StatEntry]

  def Run(self, args):
    return self.stat(args.path)

Plaso (Python):

class FileStatEventFormatter(interface.ConditionalEventFormatter):
  DATA_TYPE = 'fs:stat'
  FORMAT_STRING_PIECES = [
    '{filename}',
    'Type: {file_entry_type}',
    'Inode: {inode}',
    '{file_size}'
  ]

Both projects use Python and focus on digital forensics, but their approaches differ. GRR is geared towards remote live forensics with a client-server architecture, while Plaso is a standalone tool for log parsing and timeline creation. GRR's code emphasizes remote actions and data collection, whereas Plaso's code centers around event parsing and formatting.

sleuthkit logo

autopsy

2,356

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

Pros of Autopsy

  • User-friendly GUI for digital forensics investigations
  • Supports a wide range of file systems and artifact types
  • Extensible through third-party modules and plugins

Cons of Autopsy

  • Less flexible for custom parsing and analysis compared to Plaso
  • May be slower for processing large datasets
  • Limited command-line capabilities

Code Comparison

Autopsy (Java):

public class AutopsyIngestModuleFactory implements IngestModuleFactory {
    @Override
    public String getModuleDisplayName() {
        return "Custom Ingest Module";
    }
    // ...
}

Plaso (Python):

class CustomParser(interface.FileObjectParser):
    def ParseFileObject(self, parser_mediator, file_object):
        # Custom parsing logic here
        event = time_events.DateTimeValuesEvent(
            timestamp, 'Custom Event')
        parser_mediator.ProduceEventWithEventData(event, event_data)

The code snippets demonstrate the different approaches to extending functionality in each tool. Autopsy uses Java and focuses on ingest modules, while Plaso uses Python and emphasizes custom parsers for various data sources.

volatilityfoundation logo

volatility

7,169

An advanced memory forensics framework

Pros of Volatility

  • Specialized in memory forensics, offering deep analysis of RAM dumps
  • Extensive plugin ecosystem for customized analysis
  • Supports a wide range of operating systems and architectures

Cons of Volatility

  • Limited to memory analysis, not as versatile for full system forensics
  • Steeper learning curve for beginners
  • Requires specific memory dump formats, which can be challenging to obtain

Code Comparison

Volatility (Python):

import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32.tasks as tasks

class ProcessList(common.AbstractWindowsCommand):
    def calculate(self):
        addr_space = utils.load_as(self._config)
        return tasks.pslist(addr_space)

Plaso (Python):

from plaso.parsers import interface
from plaso.lib import definitions

class CustomParser(interface.FileObjectParser):
    NAME = 'custom_parser'
    DATA_FORMAT = 'Custom log format'

    def ParseFileObject(self, parser_mediator, file_object):
        # Custom parsing logic here
        event = self._CreateEvent(definitions.TIME_DESCRIPTION_WRITTEN,
                                  timestamp, 'Custom Event')
        parser_mediator.ProduceEvent(event)

Both projects use Python and offer extensibility through plugins or custom parsers. Volatility focuses on memory analysis with specific APIs for Windows internals, while Plaso provides a more general framework for parsing various data sources and creating timeline events.

dfir-iris logo

iris-web

1,026

Collaborative Incident Response platform

Pros of IRIS-Web

  • Web-based interface for collaborative investigations
  • Integrated case management and reporting features
  • Supports multiple data sources and analysis modules

Cons of IRIS-Web

  • Less focused on timeline analysis compared to Plaso
  • May require more setup and infrastructure
  • Potentially steeper learning curve for new users

Code Comparison

IRIS-Web (Python/Django):

class CaseViewSet(viewsets.ModelViewSet):
    queryset = Case.objects.all()
    serializer_class = CaseSerializer
    permission_classes = [IsAuthenticated]

Plaso (Python):

class PlasoEventFormatter(interface.EventFormatter):
    DATA_TYPE = 'plaso:event'
    FORMAT_STRING = '{timestamp}: {message}'

Both projects are written in Python, but IRIS-Web uses Django for web development, while Plaso focuses on command-line tools and libraries for timeline analysis.

IRIS-Web provides a more comprehensive investigation platform with a web interface, while Plaso specializes in timeline creation and analysis from various data sources. IRIS-Web may be better suited for team collaborations and case management, whereas Plaso excels in detailed forensic timeline analysis and is more easily integrated into existing workflows or custom scripts.

ForensicArtifacts logo

artifacts

1,034

Digital Forensics artifact repository

Pros of artifacts

  • Focused on defining and managing forensic artifacts
  • Lightweight and easy to integrate into other tools
  • Community-driven artifact definitions

Cons of artifacts

  • Limited to artifact definitions, not a full forensic analysis tool
  • Requires additional tools for data collection and analysis
  • Smaller community and less frequent updates

Code comparison

artifacts:

name: Windows Prefetch Files
doc: Windows Prefetch files.
sources:
- type: FILE
  attributes:
    paths:
      - '%windir%\Prefetch\*.pf'
labels: [System]
supported_os: [Windows]

plaso:

class WinPrefetchParser(interface.FileObjectParser):
  """Parser for Windows Prefetch files."""

  NAME = 'prefetch'
  DESCRIPTION = 'Parser for Windows Prefetch files.'

  def ParseFileObject(self, parser_mediator, file_object):
    """Parses a Windows Prefetch file-like object."""
    # Parsing logic here

The artifacts repository focuses on defining forensic artifacts in YAML format, while plaso implements parsers and analysis logic in Python. Artifacts provides a standardized way to describe data sources, while plaso offers a complete forensic timeline analysis solution.

Plaso is more comprehensive, integrating various parsers and analysis capabilities. Artifacts, on the other hand, is more flexible and can be used with different tools and frameworks. The choice between them depends on specific forensic analysis needs and existing toolsets.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Plaso (Plaso Langar Að Safna Öllu) - super timeline all the things

Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.

These timelines support digital forensic investigators/analysts, to correlate the large amount of information found in logs and other files found on an average computer.

A longer version

The initial purpose of Plaso was to collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline).

However Plaso has become a framework that supports:

  • adding new parsers or parsing plug-ins;
  • adding new analysis plug-ins;
  • writing one-off scripts to automate repetitive tasks in computer forensic analysis or equivalent.

And is moving to support:

  • adding new general purpose parses/plugins that may not have timestamps associated to them;
  • adding more analysis context;
  • tagging events;
  • allowing more targeted approach to the collection/parsing.

Also see