First alpha release of log2timeline version 1.0

By Anonymous
For a while now multiple people have been working on a completely new back-end of log2timeline, replacing the Perl-based version with a brand-new Python-based one, named: plaso. Now we are proud to present the first alpha release of (plaso) log2timeline version 1.0 (alpha).

What, plaso?

Plaso is the acronym for the Icelandic phrase "Plaso Langar Að Safna Öllu". Or for the few souls out there that do not speak Icelandic: "plaso wants to collect everything".

So what's new?

Plaso is a complete rewrite from the previous version of log2timeline. Now follow some highlights of what has changed:
  • Written in Python instead of Perl.
  • Multi-threaded processing.
  • Integration of the SleuthKit (TSK) for reading RAW image files.
  • Integration of libvshadow for reading Volume Shadow Snapshots (VSS).
  • Modular design; Plaso can be loaded as a single python module or its individual sub modules.
  • The log2timeline tool (or front-end) no longer supports defining an output method. Now there is only one output format available, namely a ZIP-container.
  • A new post-processing tool called psort, which replaces l2t_process, now supports the different output formats.
  • A lot more granular filtering possible (despite not all features available as of now).
  • Easier integration with other tools (with l2t_review being the first one using the new backend engine).

Tools

The tools that come with the alpha release of the 1.0 version are:
  • log2timeline
  • psort
  • plaso_console
  • plaso_information
log2timeline
Log2timeline is the main tool (front-end) that can be used create timelines. More information on log2timeline can be found here.

psort
Psort, yet another acronym meaning "Plaso Síar Og Raðar Þessu" for which the translation is left as an exercise for the reader, is the main post-processing tool for the data generated by log2timeline.

Since the main storage mechanism of (plaso) log2timeline is now a ZIP-container that contains binary data, this post-processing phase is necessary to translate this binary data into a more human-readable output. By default the output is sorted and exported in the l2t_csv format. More information on psort can be found here.

plaso_information
Again, since the output of log2timeline is a storage container (ZIP container) it has the capability to store additional information, or metadata information from the collection.

The intention of plaso_information is to provide a simple mechanism to read that metadata information and display it.

Usage information can be read here.

plaso_console
This is more of a "power" user tool that can be extremely efficient and good for analysis of the dataset if you know both how to program in Python and the inner workings of the tool (hence the expression that it is more geared towards power users).

This is an iPython console that loads up all the libraries of plaso and sets up the environment so all libraries and functions of plaso become immediately available to you. This can be used to extend the tool, test new things, perform advanced analysis on the data set, or ...

Some sample usage information can be found here.

Documentation

Additional documentation can be found on the main documentation website: http://plaso.kiddaland.net

With the addition of new features in the new version and changes in how it works the usage for log2timeline has changed. This site highlights some of the differences in usage between the 0.X branch and the new 1.X branch: http://plaso.kiddaland.net/usage/upgrading-from-0-x-branch

Installation

Since the new version now depends upon several C based libraries binaries will be distributed alongside the tool to make installation easier. A list of available downloads can be found here. And the tool now actually comes with a Windows executable, and more coming.

If your platform is not listed there, you can either build the tool by yourself or complain to some of the developers to add a binary for it.

Disclaimer

And again, since this is a complete rewrite all the modules or parsers have to be rewritten to work with the new version, which essentially means that the new version is not really capable of replacing the old version as of now. That means that for the time being 0.X branch of log2timeline (current version as of this post is 0.65) is still the recommended and supported version of log2timeline, while the 1.X branch can be looked at as experimental.

The new version has not been as widely tested as the older version and it lacks many of the fundamental parsers that the older version has. Work is undergone to correct this gap and I hope that by the time version 1.1 will be released it should be more than capable of replacing the older 0.X branch.

Ramblings

This blog site will be dedicated to quick tidbits about the new version, highlight changes, how to use the tool and some tricks, alongside some discussions about new artifacts added to the tool. Some of that documentation will be added to the main documentation side, perhaps in a more detailed form.

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more