Open Source DFIR

  Plaso 20210606 released The Plaso team is pleased to announce a new Plaso release, 20210606. This release has a mixture of new features and under the hood improvements. Notable changes The “amcache” parser has been changed to a Windows Registry parser plugin and is now named “winreg/amcache”. If you’ve been referring to this parser by name, you’ll need to use its new name. In addition changes have been made to better support newer AMCache.hve formats. Initial support to directly read from Mac OS disk images (.dmg, .sparseimage, .sparsebundle) ( #3540 ). More details about which formats are supported can be found here . As mentioned in previous release notes, the default ext2, ext3 and ext4 dfVFS back-end is now libfsext/pyfsext ( #495 ), the default HFS+ and HFSX back-end is now libfshfs/pyfshfs ( #494 ) and the default GPT back-end is now libvsgpt/pyvsgpt . Changes to extract additional values of Chrome file download database (with thanks to @obsidianforensics ). Improved the resi

  Goal This article explains the importance and challenges of time in digital forensics and incident response. You will learn how time is handled in various open source tools and get practical tips on managing time in your environment. What is time? Wikipedia defines time as " ... the indefinite continued progress of existence and events that occur in an apparently irreversible succession from the past, through the present, into the future. " It is foundational to almost every interaction in modern society. It is also essential to modern information technology’s function and interactions with humans as well as other systems. How is time measured The question of how time is measured alone could fill hundreds of pages. It kept Galieo, Newton and Einstein busy for a lifetime. For the sake of this article we will simplify the consideration of time to the unit of measurement we call a “second” on planet Earth. A second can be defined as: "the duration of 9,192,631,770 [cycle

Plaso 20210412 released The Plaso team is pleased to announce a new Plaso release, 20210412. This release mainly has under the hood improvements and clean up. Notable changes The Timesketch output module has been removed ( #2560 ) in favor of the elastic_ts output module which is used by Timesketch importer. If you want to import Plaso timelines into Timesketch please use the Timesketch importer. Raw fields support has been removed from the elastic output module ( #3469 ). Markdown output format support has been added to pinfo.py ( #1175 ). The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone .  Upcoming changes in future releases The default back-end for GPT in will be changed to libvsgpt/pyvsgpt . Mac OS disk image (.dmg, .sparseimage, .sparsebundle) support ( #3540 ). Where/how to get Plaso 20210412? See Plaso's Users' Guide . The development team recommends using Docker to install Plaso without hassle.  If Docker does not fit yo