Open Source DFIR

  Plaso 20240826 released The Plaso team is delighted to announce a new Plaso release, 20240826. This release has a mixture of new features and under the hood improvements. Notable changes Migrated Docker image to Ubuntu 24.04 with Python 3.12. If you are using Timesketch or Turbinia, work is in progress to migrate to Ubuntu 24.04 and this version of Plaso. Changed year-less log helper into date-less log helper to support date-less log formats ( #4697 ), added a SQLite parser plugin for Android's app_usage database ( #4881 ) and Android turbo.db SQLite parser plugin ( #4880 ) with thanks to @rick-slin Added basic support for Windows 10 push notification SQLite databases ( #4458 ) and Container Runtime Interface log parser ( #4742 ) with thanks to @sydp Read support for SQLite-based storage format 20221023 was removed ( #4849 ). The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Extend support for W...

Plaso 20240308 released The Plaso team is delighted to announce a new Plaso release, 20240308. This release has a mixture of new features and under the hood improvements. Notable changes Support for Mac OS login window ( #4799 ), startup item ( #4800 ) and login and background items plist plugins ( #4790 ) plist files with thanks to Matthew Pfeiffer ( @Spferical ). Support for Mac OS launchd.log text parser plugin ( #4686 ) with thanks to @rick-slin . Improvements to Windows EventLog resource extraction and message formatting ( #4259 ). Moved data into Python module and migrated tools to Python entry points ( #4769 ). The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Migrate Docker image to Ubuntu 24.04 once released. Continued work on pre-processing and knowledge base ( #4543 ). Move image export to the dfImageTools project ( #1 ). Where/how to get Plaso 20240308? See Plaso's Users' Guide . T...

  Plaso 20231224 released The Plaso team is delighted to announce a new Plaso release, 20231224. This release has a mixture of new features and under the hood improvements. Notable changes Support for Microsoft Edge load_statistics.db SQLite database files ( #4733 ) with thanks to @trashg0blin Changes to support multi-line bash history files ( #4744 ) with thanks to @Fryyyyy Support for version zstd compressed systemd journal ( #4746 ) with thanks to @michael-ashburn Support for version 118 Firefox downloads database schema ( #4749 ) and changes to MRU Windows Registry parser plugins to produce a list of entries ( #4739 ) with thanks to @chb2mn Python 3.12 support Removal of various legacy/backwards compatibility components ( #4543 ), such as process archives command line option, text-based filter file. The full list of cleanups, performance tweaks and bug fixes can be found in the release milestone . Upcoming changes in future releases Changes for deployment ( #4769 ). Continued w...

  Plaso 20230717 released The Plaso team is delighted to announce a new Plaso release, 20230717. This release has a mixture of new features and under the hood improvements. Notable changes Support for Windows AppCompat PCA (Program Compatibility Assistant) log ( #4560 ) and Apple Unified Logging ( #4557 ) files with thanks to @Fryyyyy Support for Microsoft OneDrive log ( #4148 ) files with thanks to @sydp Support for PowerShell transcript log ( #4168 ) files with thanks to @FabFaeb Support for Siemens WinCC log ( #4585 ) files with with thanks to @rgayon Support for Firefox Cookie SQLite schema version 10 ( #4665 ), MSIE webcache cookies ( #4682 ), Chrome cache version 3 ( #4694 ) and changes to Chrome history parser to extract visit count ( #4644 ) with thanks to @chb2mn Changes to CUPS IPP parser to support no-value type ( #4671 ) Support for iOS data usage SQLite parser plugin ( #4672 ) and plist plugin parser for com.apple.identityservices.idstatuscache.plist ( #4673 ) with tha...