Plaso 20200630 released

Plaso 20200630 released

The Plaso team is pleased to announce a new Plaso release, 20200630. This release has a mixture of new features and under the hood improvements.

Notable changes

  • There’s a new unattended mode for situations where Plaso is being run by a tool like Turbinia or in an environment without an interactive console, such as a Docker container. In unattended mode, Plaso will exit with an error rather than prompting for input if information is missing.

  • The linear status view now shows more information about the overall processing status, similar to the “window” status view.

  • Time zone handling was overhauled. There are now two separate timezone-related options:

    • `--timezone` indicates the time zone of the source data, and will be used when Plaso can’t determine the appropriate time zone automatically.

    • `--output_time_zone` specifies a time zone to use when outputting events. This is currently only supported by the ‘dynamic’ and ‘l2tcsv’ output modules

  • There are some new additions to the Windows and Linux tag files, courtesy of pyllyukko@

  • It’s now possible to specify an elasticsearch password on the command line thanks to new contributor william-billaud@. Note that this password will be visible to anyone who is able to list running processes, so be careful about using this on any shared system.

  • New parsers / supported data formats:


As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the release milestone

Future plans


Where/how to get Plaso 20200630?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 


If Docker does not fit your needs there are installation instructions available for MacOS, Ubuntu and Fedora


If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.


Comments

Popular posts from this blog

Parsing the $MFT NTFS metadata file

Incident Response in the Cloud

Container Forensics with Docker Explorer