Drink joyful the good mead - Plaso 20170930 Heimdall released

By Anonymous
Himinbiörg is the eighth, where Heimdall,
it is said, rules o'er the holy fanes:
there the gods' watchman, in his tranquil home,
drinks joyful the good mead
Thorpe, Benjamin (Trans.) (1866) The Elder Edda of Saemund Sigfusson.


The Plaso development team is very pleased to announce the release of Plaso Heimdall, featuring a greatly increased version number.


Heimdall was the watchman of the gods in the Norse pantheon, and we’ve been keeping careful eye on our development and testing processes.
It’s been a little longer than we’d like between releases, so let’s talk about what’s been going on.
“Heimdall on the Rainbow Bridge” by Emil Doepler (1905)

What’s changed since Plaso 1.5, Gna?

As foreshadowed above, we’ve switched to a date-based version format. Part of the reason for doing this is to enable more frequent smaller releases. Rather than having to manually switch version numbers in a file, we can promote a build from a test repository to stable, and we’re done. Look forward to more frequent releases in the near future.
This theme of under-the-hood changes and development improvements continues throughout the work that we’ve been doing. Along with the usual squashing of bugs and performance tweaks, we’ve overhauled the way that events are represented internally, via the creation of the dfDateTime library and the EventData object hierarchy.
dfDateTime allows for the preservation of timestamp precision, as well as more sophisticated comparisons between different timestamps. The EventData change is a prerequisite for moving Plaso’s backend storage to a relational (SQL-like) backend. We’ve already started work on an SQLite storage implementation, and we’re going to focus more on this code immediately after release. We're going to start to give events a bit more structure, as the dfKinds projects takes shape.
Another under-the-hood change was the modification of the preprocessor to use the Forensic Artifacts library, to make this area of the codebase simpler and more extensible. We’re looking to expand our use of artifacts in near future as well.
To support our (hopefully) increased release cadence, we’ve also invested a bunch of effort in automated testing.
On top of that, we have had time to add some new features:

New features

On top of that, we have had time to add some new features:
  • New parsers and plugins
  • DC3 contributed SQLite database schema matching in SQLite plugins, to highlight situations where an application's SQLite schema may have changed.
  • B3n7s added support for shield authentication in the ElasticSearch output module
  • The EventData changed mentioned above made it possible to implement merged MACB output in the l2tcsv output module. This reduces the noise from file timestamp updates significantly, and resolves a longstanding issue.
  • Psteal.py is a new Plaso frontend that simplifies the most common Plaso use case of processing an image, and producing a human-readable output. Essentially, psteal runs log2timeline, then psort immediately afterwards.

What we broke this time

In previous versions of Plaso, we’ve advised that new releases might not be backwards-compatible with storage files generated with older version of log2timeline. In a slight change, we can be quite categorical about Heimdall - it does not support old storage files at all. Expect this to continue in future releases as well, until the SQLite storage and dfkinds support have matured.


We’ve noticed some inconsistency in the number of lnk and shell items events. We’re investigating this issue at present, and it seems to be an issue in one of Plaso’s dependencies. If you notice any discrepancies with these parsers, double check the error output (pinfo.py -v) to see if Plaso ran into any issues processing relevant files.


In one minor tweak, the -o alias for --offset disappears for log2timeline.py. You’ll have to add a few more characters to your command lines. We've also stopped providing a binary build for 32-bit versions of Windows, so if for some reason you need to run Plaso on a Pentium III, you'll have to build all the dependencies yourself.

What we’re planning next

Of course, time moves ever forward, and we have a bunch of changes in the pipeline:
  • We’ve heard from a few folks that getting started in the code review process was a bit too intimidating, so we’re going to try out some changes - switching to GitHub’s code review process and adding more, github integrated, automated checkers.
  • A big overhaul of the storage subsystem is imminent, with much of the pre-work having been completed. A beta SQLite based store is already in the codebase.
  • Enhancing Forensic Artifacts integration. Our plan is to add an artifact based collection filter, to make targeted timeline generation speedier.

Where/how to get Plaso Heimdall?

See Plaso's Users' Guide and if you run into problems take a look at the Installation Problems page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: log2timeline-discuss@googlegroups.com.

One particular note - Plaso is now distributed as two separate .deb files for Ubuntu, and other other debian-like systems. Make sure to install the plaso-tools package as well as python-plaso.

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more