Halloween Brings With it Riding Witches and Other Treats...

By Anonymous

Version 1.0.2 - spooky edition released.

With Halloween here it is only fitting to release a new version of the ghastly plaso, version 1.0.2 aka "spooky edition" where all fraidy cats are welcome.


It's been about six months since our last release and during that time quite a few things have changed within the project, to say the least. We are getting closer and closer to a more stable release, despite still clinging to the alpha name (consider it as a fancy decoration). The tool now contains most of the important parsers from the older Perl version and should be considered ready as a replacement. The next version will focus on getting the vast majority of the old parsers ported and start focusing more on the analysis side of things.

What great goodies and maggots does this new version come with you may ask?

Well... in short it comes with several feasting goblins and enchanted elves (and some new features). If we start by looking at our release goals, which were "simple" enough; get the tool closer to a full feature parity with the Perl version (as in number of parsers) at the same time as adding new parsers that were not available in the older version. We also wanted to the stability and improve test coverage of the code base. And to add some additional goals we wanted to make room for some analysis, making review easier.

Overall we managed to reach most of our lofty goals. Tagging was added to make classification of events possible (great to find pivot points in the dataset, a blog post describing this feature will come out soon). And if you've got a pivot point you can use it to create a time slice, which includes events that happened around that point in time. Date filtering into the storage file was improved considerably and quite a few new parsers added. And finally documentation has been updated to reflect the changes made.

This blog post is only supposed to serve the purpose of announcing the new version, documentation on how to actually use the tool and even get the most out of it will be reserved for future blog posts and up-to-date instructions on the tool's documentation site: plaso.kiddaland.net.

Highlights

To list up some the new additions to the tool from the top of my head it would look something like this:

New Shiny Parsers

  • Java IDX.
  • LS Quarantine.
  • MacKeeper cache.
  • OLECF (think .doc and so many other OLE compound files on any given Windows system).
  • OpenXML.
  • Pcap files.
  • Plist parser (generic and a plugin interface for new parsers).
  • Apple Safari history parser.
  • SkyDrive log files.
  • Skype text conversations.
  • Windows Firewall.
  • Windows Job files (think at jobs).
  • Windows Prefetch files (supports all versions of Windows).
  • Windows Recycle bin (INFO2 and $I/$R).
  • Xchat Scroll back files.
  • Zeitgeist parser (Linux).
  • Several new Windows Registry plugins.

New Output Modules

  • MySQL db output for 4n6time (still an experimental feature and mostly applicable in 4n6time).
  • Dynamic. The new default output module for psort. In short this is a simple CSV file that has configurable fields to make output more flexible. See additional information here.
  • Pstorage - The ability to output again into another instance of a plaso storage. This is mainly if you want to keep events fully sorted and filtered out for a new instance.

New Features

There are plenty of new features, some of which are listed here:
  • New front-end called plasm that as of now takes care of tagging/categorization of your output data.
  • New script included called "image_export" that can be used to export files out of an image file (including within VSS) either by supplying it with a list of paths or file extensions.
  • A PoC tool called "plaso_extract_search_history.py" (not included in the build files) that can read over a plaso storage file and extract all search history from it (this will be incorporated into the tool in the next version).
  • The ability to define "time slices" in psort. That is if you have a specific pivot point into the data set (as in a time) you can define it and get all the surrounding events that occurred on the timeline for X minutes before and after (X is configurable but defaults to 5 minutes).
  • The ability to include surrounding events for filter hits. That is to create a time slice for every filter hit. Let's say you want to filter the timeline for every time a particular web site was visited and at the same time you would like to X number of events that led up to that web site visit and the next X subsequent events as well, now that can be easily done.
  • Psort now removes duplicate entries.
  • You can now bypass the storage mechanism and directly output to file. Before that you had to first store all events into a plaso storage file (still default and still recommended). However the option of bypassing the storage mechanism and directly storing the data into whatever available output module has been added.
  • A new front-end called preg added that can be used to directly parse registry files and present the output in a different manner than is done in the main front-end log2timeline/psort (and even works on live machines).

[Useless For People to Know] Back-end Changes

  • A timestamp index was added to the backend storage (pstorage) making date based filtering considerably faster.
  • Registry plugin infrastructure received a healthy code refactor.
  • A new text based assistant added (using pyparsing).
  • A new binary assistant added.
  • TSK updated to 4.1.x (used to be dependent on 3.x).
  • Protobufs updated to version 2.5 (used to be 2.4).
  • Quite a few re-factors on various pieces of the codebase.

Where to Get It

The download section of Google Code project site has now been removed, so we moved all our downloads to Google Drive.

All files can be downloaded from here: https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/

And more specifically version 1.0.2 is available here: https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.0.2/final

The tool has been compiled for the following platforms:
  • Mac OS X ML (10.8).
  • Windows 32 and 64-bit versions.
  • Ubuntu LTS (12.04)
And the source code as usual is available from Google Code: https://code.google.com/p/plaso/

Acknowledgements

None of this would have been possible without the many contributions by the plaso project authors, an ever expanding group of people with plenty of openings.

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more