Plaso 20211229 released

 Plaso 20211229 released

The Plaso team is pleased to announce a new Plaso release, 20211229. This release has a mixture of new features and under the hood improvements.

Notable changes

  • The opensearch and opensearch_ts output modules were added to migrate from Elasticsearch to OpenSearch (#4012). This is necessary for Timesketch to fully adopt the OpenSearch Python client (timesketch/#2090).

  • A Windows EventTranscript SQLite plugin was added (#3821) with thanks to @roshanmaskey.

  • The Apache access parser has been updated to support username with Kerberos principal (#3831) with thanks to @jleaniz.

  • Several changes to analysis plugins and how they store results (#1590). For some plugins the analysis results can now be viewed with pinfo, for example “pinfo.py --report browser_search case.plaso”. The Windows services analysis plug-in has been removed in favour of collecting the information during pre-processing.


The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone

Upcoming changes in future releases

  • Additional improvements to Windows EventLog resource extraction (#163).

  • Support for reading and updating Plaso storage files that have multiple event tags per event will be removed in the 2022 February release (#3714).

  • The elasticsearch_ts output module will be removed in favour of opensearch_ts (#4012).


Where/how to get Plaso 20211229?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 


If Docker does not fit your needs there are installation instructions available for MacOS, Ubuntu and Fedora


If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.


Comments

Popular posts from this blog

Parsing the $MFT NTFS metadata file

Incident Response in the Cloud

Container Forensics with Docker Explorer