Plaso 20220724 released

 Plaso 20220724 released

The Plaso team is pleased to announce a new Plaso release, 20220724. This release has a mixture of new features and under the hood improvements.

Notable changes

  • An iOS application privacy report log JSON-L parser plugin and SQLite parser plugins for iOS Screen Time and iOS net usage were added, with thanks to @rick-slin.

  • A Microsoft Office 365 audit log parser was added, with thanks to @Zawadidone.

  • A parser for Atlassian Confluence access logs was added (#4123)

  • Local time support was added to the dpkg parser, with thanks to @plague006.

  • The mactime parser has been renamed to bodyfile parser (#4131)

  • A tagging rule for Windows EventLog Cleared was added, with thanks to @pyllyukko.

  • Added initial support for WEVT_TEMPLATE resources for Windows EventLog resource extraction (#163).

  • The `--no_vss` option has been deprecated in favour of `--vss_stores=none` (#4150)

  • The elasticsearch and elasticsearch_ts output modules have been removed in favour of opensearch and opensearch_ts modules (#4012).

  • Support for reading and updating older Plaso storage files that have multiple event tags per event has been removed (#3714).

  • The Plaso Docker image now uses Ubuntu 22.04 (jammy) (#4087)

The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone

Upcoming changes in future releases

  • Additional improvements to Windows EventLog resource extraction (#4169).

  • Ubuntu 18.04 (bionic) and 20.04 (focal) and Fedora 35 releases are deprecated and will no longer be provided by the Plaso project.

Where/how to get Plaso 20220724?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 

If Docker does not fit your needs there are installation instructions available for MacOS, Ubuntu and Fedora

If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.


Popular posts from this blog

Incident Response in the Cloud

Parsing the $MFT NTFS metadata file

Container Forensics with Docker Explorer