Plaso 20220930 released

Plaso 20220930 released

The Plaso team is delighted to announce a new Plaso release, 20220930. This release has a mixture of new features and under the hood improvements.

Notable changes

  • New parsers and parser plugins and improvements to format support:

    • Windows Defender History Log (#4167), PostgreSQL application log parser (#4175) and enhanced format support of IIS parser (#4146) with thanks to @Fryyyyy 

    • Windows User Access Logging parser (#4176) with thanks to @hur 

    • Snort/Suricata fast-format alert log parser (#4220) with thanks to @jgru 

    • Android logcat parser (#4214) and .viminfo parser (#4233) with thanks to @sydp 

    • Enhanced format support of AWS ELB text parser plugin (#4189) with thanks to @alexgoedeke

    • iOS CarPlayApp.plist plist plugin (#4156) with thanks to @studiawan 

  • Support for processing the content of .dmg, .iso and .vhd[x] “as archives” was added. To specify which archive types should be processed the `--process-archives` has been superseded by the `--archives` option (#4241).

  • Single-line text log parsers have been moved to parser plugins (#4230)

  • Support for custom (output) fields has been added (#4246) and the text prepend option is now deprecated (#4248)

  • Improvements to Windows EventLog resource extraction and message formatting (#4169)

  • Redis is now an optional dependency (#4243)

The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone

Upcoming changes in future releases

  • Additional improvements to Windows EventLog resource extraction and message formatting (#4259).

  • The text prepend options will be removed (#4255) in favor of custom output fields.

Where/how to get Plaso 20220930?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 

If Docker does not fit your needs there are installation instructions available for MacOS, Ubuntu and Fedora

If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.


Popular posts from this blog

Parsing the $MFT NTFS metadata file

Incident Response in the Cloud

Container Forensics with Docker Explorer