Plaso 20201228 released

 Plaso 20201228 released

The Plaso team is pleased to announce a new Plaso release, 20201228. This release has a mixture of new features and under the hood improvements.

Notable changes

  • The mactime parser now supports extracting symbolic links from bodyfiles.

  • libfshfs/pytfshfs has been added as an experimental feature to overcome shortcomings in the pytsk HFS+/HFSX implementation. Use the `--vfs-back-end=fshfs` option to use libfshfs instead of Sleuthkit when Plaso encounters HFS+ or HFSX file systems.

  • The filestat parser now supports the directory entry added date and time of HFS+/HFSX (when using the fshfs back-end) and APFS. This means that creation time and added time are no longer treated as being synonymous.

  • libfsxfs/pytfsxfs has been added to provide XFS (version 4 and 5) support. Note that XFS support is considered experimental and could benefit from broader testing. Let us know if you encounter issues.

  • Image_export.py and log2timeline.py now support single-disk LVM volume systems (#1293) VHDX (#486) and QCOW backing file support (#520).

  • ElasticSearch 6 support has been removed as it is now end-of-life.


The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone


Where/how to get Plaso 20201228?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 


If Docker does not fit your needs there are installation instructions available for MacOS, Ubuntu and Fedora


If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.

Comments

Popular posts from this blog

Parsing the $MFT NTFS metadata file

Incident Response in the Cloud

Container Forensics with Docker Explorer