Top Related Projects
GRR Rapid Response: remote live forensics for incident response
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
An advanced memory forensics framework
Collaborative Incident Response platform
Digital Forensics artifact repository
Quick Overview
Plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the log2timeline tool. It's designed for automatic creation of super timelines, providing a single timeline of events from various log files and artifacts found on computer systems. Plaso is used in digital forensics and incident response to analyze system activity over time.
Pros
- Supports a wide range of file formats and artifacts
- Highly extensible through plugins and parsers
- Capable of processing large volumes of data efficiently
- Integrates well with other forensic tools and workflows
Cons
- Steep learning curve for beginners
- Documentation can be complex and sometimes outdated
- Performance can be slow on older hardware or with very large datasets
- Requires significant system resources for processing large volumes of data
Code Examples
# Initialize the storage writer and processor
storage_writer = storage_factory.StorageFactory.CreateStorageWriter(
storage_format, path)
knowledge_base = knowledge_base.KnowledgeBase()
processor = engine.ProcessingEngine(storage_writer, knowledge_base)
# Add a path to be processed
path_spec = path_spec_factory.Factory.NewPathSpec(
dfvfs_definitions.TYPE_INDICATOR_OS, location=source_path)
processor.ProcessSources([path_spec])
# Start processing
processor.Start()
processor.Wait()
processor.SignalAbort()
This example shows how to initialize the Plaso processing engine and process a source path.
# Create a storage reader
storage_reader = storage_factory.StorageFactory.CreateStorageReader(storage_path)
# Create an output module
output_mediator = output_mediator.OutputMediator(
knowledge_base_object=knowledge_base,
data_location=data_location)
output_module = output_manager.OutputManager.NewOutputModule(
output_format,
output_mediator)
# Extract events
with output_module:
event_object = storage_reader.GetNextEvent()
while event_object:
output_module.WriteEventBody(event_object)
event_object = storage_reader.GetNextEvent()
This example demonstrates how to read events from a Plaso storage file and write them using an output module.
Getting Started
-
Install Plaso:
pip install plaso
-
Process a source and create a storage file:
log2timeline.py timeline.plaso /path/to/evidence
-
Generate a report from the storage file:
psort.py -o l2tcsv -w timeline.csv timeline.plaso
These steps will install Plaso, process a source directory or file, and generate a CSV report of the timeline.
Competitor Comparisons
GRR Rapid Response: remote live forensics for incident response
Pros of GRR
- Designed for remote live forensics and incident response
- Supports scalable fleet-wide investigations
- Offers a user-friendly web interface for investigations
Cons of GRR
- Requires agent installation on target systems
- More complex setup and maintenance
- Primarily focused on Windows systems
Code Comparison
GRR (Python):
class GRRClientAction(actions.ActionPlugin):
in_rdfvalue = None
out_rdfvalues = [rdfvalue.StatEntry]
def Run(self, args):
return self.stat(args.path)
Plaso (Python):
class FileStatEventFormatter(interface.ConditionalEventFormatter):
DATA_TYPE = 'fs:stat'
FORMAT_STRING_PIECES = [
'{filename}',
'Type: {file_entry_type}',
'Inode: {inode}',
'{file_size}'
]
Both projects use Python and focus on digital forensics, but their approaches differ. GRR is geared towards remote live forensics with a client-server architecture, while Plaso is a standalone tool for log parsing and timeline creation. GRR's code emphasizes remote actions and data collection, whereas Plaso's code centers around event parsing and formatting.
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
Pros of Autopsy
- User-friendly GUI for digital forensics investigations
- Supports a wide range of file systems and artifact types
- Extensible through third-party modules and plugins
Cons of Autopsy
- Less flexible for custom parsing and analysis compared to Plaso
- May be slower for processing large datasets
- Limited command-line capabilities
Code Comparison
Autopsy (Java):
public class AutopsyIngestModuleFactory implements IngestModuleFactory {
@Override
public String getModuleDisplayName() {
return "Custom Ingest Module";
}
// ...
}
Plaso (Python):
class CustomParser(interface.FileObjectParser):
def ParseFileObject(self, parser_mediator, file_object):
# Custom parsing logic here
event = time_events.DateTimeValuesEvent(
timestamp, 'Custom Event')
parser_mediator.ProduceEventWithEventData(event, event_data)
The code snippets demonstrate the different approaches to extending functionality in each tool. Autopsy uses Java and focuses on ingest modules, while Plaso uses Python and emphasizes custom parsers for various data sources.
An advanced memory forensics framework
Pros of Volatility
- Specialized in memory forensics, offering deep analysis of RAM dumps
- Extensive plugin ecosystem for customized analysis
- Supports a wide range of operating systems and architectures
Cons of Volatility
- Limited to memory analysis, not as versatile for full system forensics
- Steeper learning curve for beginners
- Requires specific memory dump formats, which can be challenging to obtain
Code Comparison
Volatility (Python):
import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32.tasks as tasks
class ProcessList(common.AbstractWindowsCommand):
def calculate(self):
addr_space = utils.load_as(self._config)
return tasks.pslist(addr_space)
Plaso (Python):
from plaso.parsers import interface
from plaso.lib import definitions
class CustomParser(interface.FileObjectParser):
NAME = 'custom_parser'
DATA_FORMAT = 'Custom log format'
def ParseFileObject(self, parser_mediator, file_object):
# Custom parsing logic here
event = self._CreateEvent(definitions.TIME_DESCRIPTION_WRITTEN,
timestamp, 'Custom Event')
parser_mediator.ProduceEvent(event)
Both projects use Python and offer extensibility through plugins or custom parsers. Volatility focuses on memory analysis with specific APIs for Windows internals, while Plaso provides a more general framework for parsing various data sources and creating timeline events.
Collaborative Incident Response platform
Pros of IRIS-Web
- Web-based interface for collaborative investigations
- Integrated case management and reporting features
- Supports multiple data sources and analysis modules
Cons of IRIS-Web
- Less focused on timeline analysis compared to Plaso
- May require more setup and infrastructure
- Potentially steeper learning curve for new users
Code Comparison
IRIS-Web (Python/Django):
class CaseViewSet(viewsets.ModelViewSet):
queryset = Case.objects.all()
serializer_class = CaseSerializer
permission_classes = [IsAuthenticated]
Plaso (Python):
class PlasoEventFormatter(interface.EventFormatter):
DATA_TYPE = 'plaso:event'
FORMAT_STRING = '{timestamp}: {message}'
Both projects are written in Python, but IRIS-Web uses Django for web development, while Plaso focuses on command-line tools and libraries for timeline analysis.
IRIS-Web provides a more comprehensive investigation platform with a web interface, while Plaso specializes in timeline creation and analysis from various data sources. IRIS-Web may be better suited for team collaborations and case management, whereas Plaso excels in detailed forensic timeline analysis and is more easily integrated into existing workflows or custom scripts.
Digital Forensics artifact repository
Pros of artifacts
- Focused on defining and managing forensic artifacts
- Lightweight and easy to integrate into other tools
- Community-driven artifact definitions
Cons of artifacts
- Limited to artifact definitions, not a full forensic analysis tool
- Requires additional tools for data collection and analysis
- Smaller community and less frequent updates
Code comparison
artifacts:
name: Windows Prefetch Files
doc: Windows Prefetch files.
sources:
- type: FILE
attributes:
paths:
- '%windir%\Prefetch\*.pf'
labels: [System]
supported_os: [Windows]
plaso:
class WinPrefetchParser(interface.FileObjectParser):
"""Parser for Windows Prefetch files."""
NAME = 'prefetch'
DESCRIPTION = 'Parser for Windows Prefetch files.'
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Prefetch file-like object."""
# Parsing logic here
The artifacts repository focuses on defining forensic artifacts in YAML format, while plaso implements parsers and analysis logic in Python. Artifacts provides a standardized way to describe data sources, while plaso offers a complete forensic timeline analysis solution.
Plaso is more comprehensive, integrating various parsers and analysis capabilities. Artifacts, on the other hand, is more flexible and can be used with different tools and frameworks. The choice between them depends on specific forensic analysis needs and existing toolsets.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Plaso (Plaso Langar Að Safna Ãllu) - super timeline all the things
Plaso (Plaso Langar Að Safna Ãllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
These timelines support digital forensic investigators/analysts, to correlate the large amount of information found in logs and other files found on an average computer.
A longer version
The initial purpose of Plaso was to collect all timestamped events of interest on a computer system and have them aggregated in a single place for computer forensic analysis (aka Super Timeline).
However Plaso has become a framework that supports:
- adding new parsers or parsing plug-ins;
- adding new analysis plug-ins;
- writing one-off scripts to automate repetitive tasks in computer forensic analysis or equivalent.
And is moving to support:
- adding new general purpose parses/plugins that may not have timestamps associated to them;
- adding more analysis context;
- tagging events;
- allowing more targeted approach to the collection/parsing.
Also see
- Homepage
- Downloads
- Documentation
- Contact information:
- Plaso channel on Open Source DFIR Slack community
- Mailing list for general discussions: log2timeline-discuss
- Mailing list for development: log2timeline-dev
Top Related Projects
GRR Rapid Response: remote live forensics for incident response
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
An advanced memory forensics framework
Collaborative Incident Response platform
Digital Forensics artifact repository
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot