Open Source DFIR

  Plaso 20260119 released The Plaso team is delighted to announce a new Plaso release, 20260119. This release has a mixture of new features and under the hood improvements. Notable changes Changes for compatibility with OpenSearch 2.5 and later ( #4997 ) with thanks to @jaegeral Added support for Firefox 118+ download end time ( /#5019 ) and improvement to AppCompatCache parser ( #5025 ) with thanks to @Spferical Changes to use pyproject.toml ( #5015 ) Changes to Windows EventLogs parameter expansion ( #5023 ) The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for Windows 10 push notification databases ( #4458 ) Continued work on pre-processing and knowledge base ( #4543 ). Move image export to the dfImageTools project ( #1 ). Where/how to get Plaso 20260119? See Plaso's Users' Guide . The development team recommends using Docker to install Plaso without hassle.  If Docker does...

  Plaso 20250918 released This post has been pending for a while, but the Plaso team is delighted to announce a new Plaso release, 20250918. This release has a mixture of new features and under the hood improvements. Notable changes Added motherboard information Windows Registry plugin ( #4953 ) with thanks to @elad-levi-cyberark Changes to image export to map extracted files to artifact definitions ( #4949 ) with thanks to @sa3eed3ed Changes to Google Cloud audit logs parser ( #4923 ) with thanks to @roshanmaskey Changed amcache.hve parser to extract file identifier and application key modification time ( #4942 ) with thanks to @coperni Changes to IIS parser ( #4904 , #4910 , #4911 ) with thanks to @pyllyukko Changes to run plaso as user in Docker ( #4975 ) The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for Windows 10 push notification databases ( #4458 ) Continued work on pre-p...

I found  /usr/bin/lesspipe.sh  and  ~/.lessfilter . ⚠️ This post is in no way detailing a vulnerability or exploit . I am sharing a novel persistence mechanism that I was not aware of until recently. I am writing this post because I do not believe many defenders — SOC, DFIR and system administrators alike — know about this. Not MITRE ATT&CK nor GTFOBins.com include this level of detail in their respective repositories, either. Re-Introducing the less Command The less program, normally located at /usr/bin/less , is a well-known pager that comes prebaked in *nix operating systems. The less program allows a user to view a file via mouse scroll, to regex search, and even list the contents of compressed archives. We’ll talk more about that last part later. Recently I was perusing my environment variables (envar) on my Linux-based system and found this “.sh” file that was just screaming for me to investigate further. env ...skipping LESSOPEN=||/usr/bin/lesspipe.sh %s PAG...

Unlocking Fleetspeak Large Scale and Reliability with Cloud Spanner Authored by Frank Tobia, Ike Okoro, Matt Pfeiffer and Dan Aschwanden If GRR and Fleetspeak are foundational tools to do Digital Forensics and Incident Response (DFIR), you likely have experienced its database becoming a key challenge as you scale towards tens of thousands of endpoints. The database handles the constant flow of messages, tracks client states, and manages operational data, and under heavy load, performance and stability can become significant concerns. In this article we introduce a fundamental update that elevates Fleetspeak's datastore infrastructure, making it ready for the most demanding, large-scale deployments with the addition of Google Cloud Spanner as a new datastore option . Fleetspeak is GRR’s communication layer. The Fleetspeak frontend (server) exchanges Protocol Buffer based messages with Fleetspeak agents (clients) on behalf of GRR, providing GRR with a communication conduit. It ...