Sprinkling morning dew and summer sunlight - Plaso 1.4 Freya released!

By Anonymous
Sprinkling morning dew and summer sunlight


“Freyja flew over the earth, sprinkling morning dew and summer sunlight behind her. She shook spring flowers from her golden hair and wept tears which turned to gold or to amber at sea.” [http://www.valkyrietower.com/freyja.html]


Version 1.4 - Freyja released

The Plaso development team is excited to announce the release of Plaso 1.4, codenamed Freyja. Appropriately, Freyja is the deity associated with fertility, love, war and prophecy - most auspicious for a new release, and a new year!


She also rides in a chariot pulled by cats, which is pretty nifty.


freya__s_nyan_cat_drawn_carriage_by_daggerravionfall-d4hjku1.jpg


As with previous releases, Plaso Freyja is packed with new features, changes to the core and improved stability and reliability. Now for the juicy details!


What's changed since Plaso 1.3, Eir

New features
  • Parsers for $MFT and the NTFS USN change journal
    • Plaso now integrates with libfsntfs, which enables direct extraction of NTFS metadata. In Freyja, Plaso includes $MFT and USN change journal parsers. We’ll add more NTFS metadata handling in future versions, so stay tuned.
  • Docker file
    • A docker file, for creating Plaso docker containers, was added in Freyja by new contributor rgayon. We’ve been experimenting with containerizing Plaso, and it looks like there’s some interesting potential here. Look for more changes and guides here soon, and integration with Turbinia.
  • ZeroMQ
    • Plaso now integrates ZeroMQ for transferring data between the extraction and storage processes. This functionality is still experimental in Freyja, but we’re planning to make ZeroMQ the default for future Plaso releases.
  • File content hashing is now on by default
    • As detailed in a previous blog, hashing is now enabled by default.
  • Keeping track of exactly what Plaso’s doing at any given moment is pretty difficult with the scrolling (linear) view of status information. To try make this bit easier, the   Window status view now on by default for non-Windows OS’. log2timeline will now look like this:
    and not this:
    If you prefer the old behavior, just run log2timeline with --status_view linear, and your terminal will quickly fill with happy scrolling messages.
  • A new parser for client-local SCCM logs, courtesy of 8u1a
  • A new Windows Registry plugin to handle the Windows Explorer ProgramsCache key, which records program execution data
  • An XSLX output module, for writing events directly to a file readable with Microsoft Excel, thanks to DC3
  • Distributed link tracking support in the winlnk parser
  • The Windows Registry handling functionality has been moved to a separate submodule and will continue as a stand-alone Python module after Freyja. This should make it easier to create one off scripts that need to access the Windows Registry (for example, the scripts in winreg-kb).

What we broke this time

The Freyja release may not be compatible with storage files produced by previous versions. We recommend re-processing your original source data with Freyja, to take advantage of the new features and bug fixes.


The PCAP parser has been disabled. Unfortunately, the parser was causing excessive memory issues due to its current design. Our plan is to deprecate it and remove it permanently in 1.5 unless people are very passionate about having this functionality. Let us know on this issue and we always welcome contributions.

The parser class hierarchy has changed a little to align with the new data stream (NTFS ADS and HFS forks) support.  As a consequence, any parsers in active development need to change a little. If you're working on something, please reach out to the developers mailing list (log2timeline-dev@googlegroups.com) and we can help you make the necessary changes.

If you’ve been using your own custom tag files, you’ll have to change them slightly. To make things easier for frontends like Timesketch, all tags are now strings of alphanumeric characters, and the underscore character. This means, for example, that the tag is now “application_execution” and not “Application Execution”.


What we’re planning next

  • Implementing phased processing, to address the remaining multiprocessing and queuing issues and to help scale Plaso to multiple machines.
  • YARA integration for flagging files that match signatures.
  • Continuing the integration of artifacts for preprocessing and presets, which did not make it this release but is getting closer.
  • As always, more parsers, parser plugins, and analysis plugins.
  • Improved multi volume support (first up, LVM and LUKS), didn’t quite make this release but dfVFS LVM support is very close now.
  • Changes to our development workflow, switching to python helper scripts, to support those of you who wish to develop on Windows.
  • Migrating to a more powerful filtering language, efilter (aka dotty).


Where to get Plaso 1.4?

See Plaso's Users' Guide and if you run into problems take a look at the Installation Problems page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: log2timeline-discuss@googlegroups.com.


Closing notes by Kristinn, Mr. Super Timeline, Guðjónsson

Most new beginnings are accompanied with an end, and this is certainly one of those. The change that I wanted to talk about today is an organizational one within the Plaso project. I’ve been driving the log2timeline project for around 7 years now, since its birth, back in 2009. I’ve seen this project go from just being myself playing with some Perl scripts to it becoming a widely used tool within the community and then again after joining Google its rebirth with Plaso. This also allowed me to team up with other people like Daniel White and Joachim Metz and make Plaso what it currently is.


However things have changed since then and with my current responsibilities I cannot devote as much time into the project as I used to (you may have noticed significantly fewer CLs from me lately). I also really want to give others opportunity to shine and have therefore decided to to step down as the main goto person for log2timeline. I’m happy to announce that Daniel White has gracefully accepted the challenge to lead the project from now on. I’ll still be involved with the project, but mostly in the background, helping in deciding its direction. I’m very excited about this and I’m certain that Plaso is in good hands with Daniel and others.


I think the future is bright for Plaso, I’m super excited about the immediate future which will bring integration of artifacts, changes in how we process data that will allow scaling up so that Plaso can be run in parallel on multiple machines. More emphasis on automated analysis and SO MUCH more. Once those pieces are in place we can start better integrating the tool into other places, such as Timesketch and Turbinia to name few. There is still plenty of work to be done, that’s for sure.


As a closing note I would like to personally thank anyone that have provided me with advice, feedback, samples, code changes for both the Perl and Python versions of log2timeline… and I hope that people will continue to do so in the future. And who knows, maybe you’ll see a CL from me when time permits… and of course I’ll have to maintain the Plaso tradition of educating the world with more Icelandic sentences here and there:
ber er hver að baki nema bróður sér eigi, þ.e.a.s. það er gott að vita af því að maður hafi fundið einhvern sem er tilbúinn að hlaupa undir bagga með sér og aðstoða þegar tímarnir breytast

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more