What is one to say about June, the time of perfect young summer and a new plaso release.

By Anonymous

New version 1.1.0 the SuperBark edition released.

For those of you living on the Northern hemisphere, summer is here, which for some is closely associated with the feeling of a fresh plaso release. This summer is no different, although plaso is now significantly different ... [and for those of you living on the Southern hemisphere consider this the winter release ;)]

So without further ado [queue drum-roll], [short pause] I present [longer pause]:

plaso version 1.1.0, the SuperBark edition

new shiny logo
New shiny plaso logo

You might be asking yourself: "so what is significantly different?" After using plaso for more than a year we realized that we wanted some things to be changed. We wanted native support for more storage media and volume system types, e.g. EWF or BitLocker. This meant we needed to get rid of the existing code that dealt with file handling and replace it by a more flexible approach.

This signified the birth of the Digital Forensics Virtual File System (or dfVFS). A stand-alone Python module (or library), that provides plaso (as well as other projects) with read-only support for more storage media types and file formats. What this means for the Python developer that lives inside you is a new shiny library that you can import in your one-off scripts that gives you instantly the ability to read data from various media formats without depending on all the plaso dependencies. Note that dfVFS is still work in progress and we are likely to add more storage media and volume system types and other nifty features along the way.

However that's not the only change since our last release. We decided to unify all plugin interfaces into a single coherent interface, and with that make the distinction between a plugin and a parser more explicit. That should make the life of those of you writing parsers and plugins easier. If not let us know, we are eager to try to make your life easier.

For those of you that are not actively developing for the tool (or intend to) and just want to use the tool you may not be as excited as us with all the fancy changes to the code base and the re-factors that have taken place, nor any new API's that have been exposed. Thankfully we also have some shiny new features that we would like to talk about to this group of people.

During our last release we had quite a few parsers contributed by external developers and we are happy to announce that we have even more this time around. I would like to thank all of our developers for their contributions to the tool (more following later). And we encourage others to join in as well. In our opinion being able to extend and change our tooling is a value option to have, in case you want timestamps out of a particular format we don't support (yet). To get you started there now is quite a of documentation available on the plaso website: plaso.kiddaland.net including codelabs. If there is sufficient interest we can try to arrange a workshop like we did last year at OSDFC. Just let us know.

Last but not least, we squashed various bugs in the process, in our code but also in the code we rely upon.

Highlights

As I said before plaso is now significantly different, it now has:
  • the ability to read the storage media image formats EWF, QCOW, VHD and VMDK, besides RAW;
  • improved existing parsers and plugins, e.g. multi volume support in the Windows Prefetch parser;
  • various additional parsers and plugins;
  • new features.

New parsers

With the new version comes a lot of new parsers, many of which contributed by various plaso developers. Special thanks to the tireless efforts of Joaquin Moreno for adding tremendous amount of Mac OS X support.
  • Generic (OS independent):
    • Bencode parser [Brian Baskin]
    • Browser cookie parser
    • Chrome Cache files
    • CUPS IPP [Joaquin Moreno]
    • Firefox Cache files [Petter Bjelland]
    • Opera history files
    • XChat log [Francesco Picasso]
    • XChat Scrollback log file [Francesco Picasso]
  • Mac OS X - all of which were contributed by Joaquin Moreno:
    • Basic Security Module (BSM)
    • Apple System Log (ASL) 
    • Filewall log (appfirewall.log)
    • Keychain file
    • Securityd logs
    • Wifi log (wifi.log)
    • UTMPX
  • Linux
    • PopContest [Francesco Picasso]
    • UTMP [Joaquin Moreno]
  • Windows:
    • ESE database format
    • McAfee AV protection logs
    • SkyDrive error log [Francesco Picasso]
    • Symantec AV scanlog [David Nides]

New plugins

  • Bencode:
    • Transmission [Brian Baskin]
    • uTorrent [Brian Baskin]
  • Browser Cookies:
    • Google Analytics
  • SQLite:
    • Android SMS [Keith Wall]
    • Android call logs [Keith Wall]
    • Chrome cookies
    • Firefox downloads
    • Mac OS X document versions [Joaquin Moreno]
    • Skype (improved coverage of the skype db) [Joaquin Moreno]
    • Zeitgeist
  • ESE database plug-ins:
    • MSIE WebCache (aka IE 10 support)
  • Mac OS X Plist plug-ins, all added by Joaquin Moreno:
    • Airport
    • Apple Account
    • iPod/iPhone
    • Install History
    • Mac User
    • Software Update
    • Spotlight
    • Spotlight Volume Information
    • Timemachine
  • Windows Registry plug-ins:
    • AppCompatCache
    • CCleaner [Marc Seguin]
    • MountPoints2
    • MSIE Zone
    • MSIE Zone Software

Output Modules

Besides format parsing support for new output forms has been added:
  • Elastic Search;
  • TLN - Timeline format.
To get an idea what this now allows you to do with plaso have a look at a previous blog post: Visualize the Output.

New features

Plaso now has a file system scanner (though maybe not the most technically correct term for it). What does it do? If you point plaso to a storage media image or device it will try to detect the input type and determine the partitions or volumes stored on it. By default it will ask you which partition or volume to process, unless there is nothing to choose from or you specified via the command line arguments what you wanted to be processed. This also meant we removed the partition map option from log2timeline.py.

One of the things that has often been touted as the weak point of log2timeline in the past was the sole emphasis on the collection part while ignoring the analysis section, essentially leaving that as an exercise for the practitioner.  The tool was essentially a very lightweight framework with the sole emphasis on writing parsers. However in the end it made it so that the practitioner just had too much data to work with. This is something that needed to be changed, we wanted to provide you the end user with some tools to assist with automating the analysis as well as focusing on extraction. The first signs of this new approach was with our last release, with the introduction of tagging, allowing users to write simple tags to annotate certain events, like "Application Execution", "File Downloaded", etc. With this release we are introducing the first version of the analysis plugins. Starting simple and then expanding further on this concept in the near future.

An analysis plugin can be explained as a plugin that receives a copy of every event sent for output. The plugin can then analyze said events to extract meaningful data, whether the purpose is to detect anomalies, calculate statistics, create graphs, etc. To begin with we added two simple proof-of-concept plugins, more will follow soon.

The plugins are:
  • Browser search history - go through all web history and extract search queries.
  • Chrome extensions - go through all installed chrome extensions and extract the names for them
To get further information about the analysis plugins and how to run them, please look at the documentation site and look for the "Analysis Plugins" section.

The idea is further expand on this concept, make these plugins more robust and create more complex analysis plugins. Then to allow some of them to run during the extraction phase, so that we can do tagging for instance during the collection instead of having that done during the post-processing stage.

Another new feature that we added is that the tool now monitors all the workers that are started and the tool includes process information with regular intervals. That way you can easily tell what the tool is doing at any point in time.

Howto Install

At this point in time I'm sure everyone are asking themselves.. how can I just download and install this tool? The short answer is always it depends on the platform (but of course). However we do provide few options for people:

Linux (Ubuntu):

Install via the SIFT repo.

sudo add-apt-repository ppa:sift/stable
sudo apt-get update
sudo apt-get install python-plaso

And that's it. This should take care of installing all the dependencies needed and the tool itself. There are two repositories used, the "stable" and the "dev". The stable one contains released versions and the "dev" branch contains the latest trunk, which means you'll get all the latest and greatest features with the added bonus of the potential bugs and other things that may not work. So if you want to live on the edge, use the dev branch, otherwise stable is for you.

Mac OS X (Maverick):

For Mac OS X we are using the native Python binary that comes with the operating system. We package each and every dependency of plaso into a separate package file and nicely wrap that up in a single DMG file for your download.

Simply download the DMG, mount it and double click the "install.sh" script (or run it via the terminal window).

Windows (32 and 64 bit):

For Windows we compile the code into an executable, one for 32 bit operating systems and one for 64 bit ones.

Download the appropriate executable from here, extract it to somewhere within your PATH and run the tool.

Acknowledgements

None of this would have been possible without the many contributions by the plaso project authors, an ever expanding group of people with plenty of openings.

For further break down of various group member contributions please the ACKNOWLEDGEMENTS file.

Where are we heading next

Besides adding more parsers, plugins and improving dfvfs ...

For those of you familiar with Your workflow is NOT my workflow!, you might already know that our ideas for plaso are to improve domain knowledge reuse and support automated analysis, dubbed as artifact support. This also means that we are going to focus on making plaso more modular and reusable by other projects like e.g. GRR, 4n6time, Autopsy, MantaRay and other open source forensics projects.

You can largely see what we are up to in Plaso - Roadmap and Assignment.

Logo designs that did not made it

Last but not least, the logo designs that did not made it ;)

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more