Plaso 20260512 released

By

 Plaso 20260512 released

The Plaso team is delighted to announce a new Plaso release, 20260512. This release has a mixture of new features and under the hood improvements.

Notable changes

  • Added support for Apple MobileBackup plist (#4916) with thanks to @rizabudi

  • Added support for iOS WiFi Known Networks plist (#4925) with thanks to @CopasAlpha26

  • Added support for iOS Accounts (Accounts3.sqlite) SQLite database (#4926) with thanks to @studiawan

  • Added support for IMO HD chat SQLite database (#4927) with thanks to @agusgiinarsa

  • Added support for Apple Burner (burners.sqlite) SQLite database (#4928) with thanks to @brokamal and @SanGit56

  • Added support for Android Native Downloads (downloads.db) SQLite database (#4929) with thanks to @ChristopherGammaWau and @barpeot

  • Added support for Android App Launch (SimpleStorage) (#4930) with thanks to @FathanAbi and @BeefRa

  • Added support for iOS SIM information plist (com.apple.commcenter.data.plist) (#4931) with thanks to @fitrianhikma

  • Added support for Android Viber Call (viber_data) SQLite database (#4934) with thanks to @aurelioklv and @jawahirulwildan

  • Added support for Files by Google (files_master_database) SQLite (#4938) with thanks to @jundi77 and @gustino7

  • Added support for Android Airtag (attd_db) SQLite database (#4939) with thanks to @hanamahes78 and @nadiah2323

  • Added support for iOS Notes SQLite database (#4944) with thanks to @CandraTP

  • Added support for RADAR Diagnosed Applications Windows Registry (#4958) with thanks to @elad-levi-cyberark

  • Added support for iOS Discord messages JSON and iOS Instagram SQLite database (#4968) with thanks to @jawahirulwildan

  • Added support for Chrome cache payloads (#4696) with thanks to @chb2mn

  • Added support for syslog facility and message identifier (#5021) with thanks to @Spferical

  • Added Confluence (#5030), Jira DC logs (#5043) and Bitbucket DC logs (#5050) support with thanks to @dmw9

  • Changed queuing to use JSON serialization (#5032) in favor of pickle serialization.

  • Extended MBR partitions now are represented starting as p5 (dfvfs/#788)

  • Ubuntu 26.04 based Docker image

  • For developers, changes to the style guide. Now preferred use of f-strings, super() without arguments, and classes no longer need to inherit object.


The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone.

Upcoming changes in future releases

  • Remove support for discontinued Viper version 1 (#5042)

  • Changes to schema and (potentially) storage format (#4852, #4956, #5017)

  • Extend support for Windows 10 push notification databases (#4458)

  • Continued work on pre-processing and knowledge base (#4543)

  • Move image export to the dfImageTools project (#1)

  • For developers, changes to the style guide due to adoption of black Python formatter.


Where/how to get Plaso 20260512?

See Plaso's Users' Guide. The development team recommends using Docker to install Plaso without hassle. 


If Docker does not fit your needs there are installation instructions available for Mac OS, Ubuntu and Fedora


If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the Open Source DFIR slack or open an issue on the tracker.

Comments

Post a Comment

Popular posts from this blog

Parsing the $MFT NTFS metadata file

By
Background Numerous articles have been written about parsing the $MFT NTFS metadata file before. Some of these explain the technique itself [ 1 ] and others mostly focus on how to use tools. Rarely do articles mention the pros and cons of the technique from a digital forensics perspective [ 2 ].  What is $MFT parsing?  For readers not familiar with the NTFS file system, MFT stands for Master File Table. This table is stored in a file system metadata file, meaning that as far as the file system is concerned it is a file, however that the file contains file system metadata not “regular” content. The name of this file is “$MFT”.  The MFT consists of a sequence of (predetermined) fixed-size entries (or MFT entries). These entries are typically 1024 bytes in size, however the size is defined in the NTFS volume header and in a “regular” MFT entry itself.  The first 4-bytes of a “regular” MFT-entry (or record) starts with the signature “FILE”. The MFT entry can...
Read more

Incident Response in the Cloud

By
Many organizations have begun moving a majority of their services towards the cloud in recent years. As a result, attackers have shifted their focus towards the cloud. This has resulted in new techniques and methods specifically designed to compromise cloud infrastructure, like the recent SALTSTACK vulnerability that was widely exploited [ 1 ]. Therefore it is critical for these organizations to have an incident response team that understands the new risks attached to cloud and how cloud can make incident response easier or harder.  In this blog post we will walk you through each phase you may encounter in traditional incident response and highlight the differences when adopting cloud computing. It is aimed towards both those who are new to incident response and cloud computing. We’ve included insights that will benefit organizations taking that step towards cloud who want to ensure they are prepared to respond efficiently to cloud incidents.  Traditional Incident Response Be...
Read more

Container Forensics with Docker Explorer

By Anonymous
  Introduction As previous blog posts on cloud forensics have noted, applications are increasingly being deployed using container orchestration frameworks such as Kubernetes, especially in cloud environments.  Similar to traditional deployments on physical servers or virtual machines (VMs), when a containerised application has a security issue it can lead to a compromise of the underlying compute architecture. In the case of container deployments this means a compromise of the container itself, the container host, or even a wider cluster compromise via abuse of orchestration tools. Often digital forensics is required to establish what went wrong and remediate any issues. This article will provide an introduction to container forensics with Docker Explorer by working through a scenario involving a compromised container running within a Kubernetes cluster. Although Kubernetes is briefly mentioned, this article will focus on analysis of an individual container rather than the wi...
Read more