tag:blogger.com,1999:blog-64245866757492293822024-03-19T14:44:42.020-07:00All things time related....Mostly log2timeline and plaso discussions, tricks, announcements and other similarly timeline related.therealkiddihttp://www.blogger.com/profile/18224259392858928832noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-6424586675749229382.post-63633741200317883182020-07-04T08:24:00.001-07:002020-07-04T08:24:32.139-07:00Plaso 20200630 released<span id="docs-internal-guid-27d936b4-7fff-c30a-fde1-16f82c8a73d3"><p dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;"><font color="#d52c1f">This is the last release announcement for Plaso posted on this blog. Future release announcements will be on</font> </span><font face="Arial"><span style="font-size: 14.6667px; white-space: pre-wrap;"><a href="https://osdfir.blogspot.com/">https://osdfir.blogspot.com/</a></span></font></p><p dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;"><br /></span></p><h1 style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt; text-align: left;"><span id="docs-internal-guid-7167c877-7fff-894f-081e-61af028a5e18" style="font-weight: normal;"><p dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 26pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Plaso 20200630 released</span></p><div><span style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">The Plaso team is pleased to announce a new Plaso release, 20200630. This release has a mixture of new features and under the hood improvements.</span></div></span></h1><h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Notable changes</span></h2><ul style="margin-bottom: 0; margin-top: 0;"><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">There’s a </span><a href="https://github.com/log2timeline/plaso/pull/3094" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">new unattended mode</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> for situations where Plaso is being run by a tool like </span><a href="https://github.com/google/turbinia" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Turbinia</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> or in an environment without an interactive console, such as a Docker container. In unattended mode, Plaso will exit with an error rather than prompting for input if information is missing.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The linear status view </span><a href="https://github.com/log2timeline/plaso/pull/3101" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">now shows more information</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> about the overall processing status, similar to the “window” status view.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Time zone handling was </span><a href="https://github.com/log2timeline/plaso/pull/3088" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">overhauled</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. There are now two separate timezone-related options:</span></p></li><ul style="margin-bottom: 0; margin-top: 0;"><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: circle; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">`--timezone` indicates the time zone of the source data, and will be used when Plaso can’t determine the appropriate time zone automatically.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: circle; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">`--output_time_zone` specifies a time zone to use when outputting events. This is currently only supported by the </span><a href="https://github.com/log2timeline/plaso/issues/2067" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">‘dynamic’ and ‘l2tcsv’ output modules</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. </span></p></li></ul><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">There are some new additions to the </span><a href="https://github.com/log2timeline/plaso/pull/2942" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Windows</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://github.com/log2timeline/plaso/pull/2933" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Linux</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> tag files, courtesy of </span><a href="https://github.com/pyllyukko" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">pyllyukko@</span></a></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">It’s now possible to </span><a href="https://github.com/log2timeline/plaso/pull/2988" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">specify an elasticsearch password</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> on the command line thanks to new contributor </span><a href="https://github.com/william-billaud" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">william-billaud@</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. Note that this password will be visible to anyone who is able to list running processes, so be careful about using this on any shared system.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">New parsers / supported data formats:</span></p></li><ul style="margin-bottom: 0; margin-top: 0;"><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: circle; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Apple's Transparency, Consent, and Control </span><a href="https://github.com/log2timeline/plaso/pull/3117" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">(TCC) SQlite database</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: circle; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://github.com/log2timeline/plaso/pull/2943" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Google Log (glog) files</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">.</span></p></li></ul></ul><br /><p dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the</span><a href="https://github.com/log2timeline/plaso/milestone/27" style="text-decoration-line: none;"><span style="color: black; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">release milestone</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. </span></p><h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;"><span style="font-family: Arial; font-size: 16pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;">Future plans</span></h2><ul style="margin-bottom: 0; margin-top: 0;"><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Continuing to </span><a href="https://github.com/log2timeline/plaso/issues/444" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">change formatters to be configuration driven</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> by adding support for enumeration and flag values.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://github.com/log2timeline/plaso/issues/2790" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Adding support</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> for more types of subkeys to AMCache.hve parser.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://github.com/log2timeline/plaso/pull/3125" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Parsing Spotlight store database</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (store.db) files.</span></p></li><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://github.com/log2timeline/plaso/pull/3140" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Extending the image export tool</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> with exclusion filter support.</span></p></li></ul><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 20pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Where/how to get Plaso 20200630?</span></p><p dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">See Plaso's </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html" style="text-decoration-line: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. The development team recommends using </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Docker</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> to install Plaso without hassle. </span></p><br /><p dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">If Docker does not fit your needs there are installation instructions available for </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">MacOS</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">,</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html" style="text-decoration-line: none;"><span style="color: black; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Ubuntu</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Fedora</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">. </span></p><br /><p dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">I</span><span style="background-color: white; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">f you run into problems take a look at the </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html" style="text-decoration-line: none;"><span style="background-color: white; color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the </span><a href="https://github.com/open-source-dfir/slack" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">Open Source DFIR slack</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> or</span><a href="https://github.com/log2timeline/plaso/issues/new" style="text-decoration-line: none;"><span style="color: black; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">open an issue</span></a><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> on the tracker.</span></p><div><span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span>Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-42216203354868949362020-05-08T08:59:00.000-07:002020-05-09T21:04:16.948-07:00Plaso 20200430 Released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20200430 released</h2>
The Plaso team is pleased to announce a new Plaso release, 20200430. This release has a significant change with <a href="https://github.com/libyal/libfsntfs">libfsntfs/pyfsntfs</a> becoming the default for accessing NTFS volumes. With this comes:<br />
<ul style="text-align: left;">
<li>A substantial speedup for processing NTFS images. While the exact numbers will vary based on the data being processed, we’ve seen some of test images processed twice as fast with libfsntfs when compared to TSK.</li>
<li>Performance improvements for directories with a large number of entries (<a href="https://github.com/log2timeline/plaso/issues/810">#810</a>). Directories with a very large (or huge) number of entries could still be a performance bottleneck (<a href="https://github.com/libyal/libfsntfs/issues/16">libfsntfs/16</a>).</li>
<li>Support for Windows Overlay Filter (WOF) compressed data (LZX and LZXPRESS-Huffman).</li>
<li>Preservation of control characters in file and data stream names (<a href="https://github.com/sleuthkit/sleuthkit/issues/1894">sleuthkit/1894</a>).</li>
<li>Support for NTFS directories with case-sensitive entries.</li>
</ul>
<br />
If you run into any problems with NTFS parsing, note that pytsk NTFS support can be enabled using the <span style="font-family: "courier new" , "courier" , monospace;">--vfs-back-end=tsk </span>option for image_export.py, log2timeline.py and psteal.py.<br />
<h3 style="text-align: left;">
Other changes</h3>
<ul style="text-align: left;">
<li>Many of the formatters are now <a href="https://plaso.readthedocs.io/en/latest/sources/user/Output-and-formatting.html#formatter-configuration-file-format">configuration driven</a> (<a href="https://github.com/log2timeline/plaso/issues/444">#444</a>) enabling more user customization of the final event message. We’ll continue this migration, and provide more details about how to use this feature in future releases.</li>
<li>Further storage refactoring to enable more database normalization</li>
<li>Tools behave more nicely when used with pipes (<a href="https://github.com/log2timeline/plaso/issues/2846">#2846</a>)</li>
<li>Support for Python 3.8</li>
<li>Fedora 32 and Ubuntu 20.04 releases</li>
</ul>
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/26">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
<ul style="text-align: left;">
<li>We continue to most of the formatters to configuration driven (<a href="https://github.com/log2timeline/plaso/issues/444">#444</a>) by adding support for enumeration and flag values.</li>
<li>We are planning to further improve the AMCache.hve parser to support more types of subkeys (<a href="https://github.com/log2timeline/plaso/issues/2790">#2790</a>).</li>
<li>Work on alternative Plaso storage back-ends like Redis and Elasticsearch is continuing.</li>
</ul>
<br />
Per the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Plaso's Users' Guide</a>, we recommend using <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a> to install Plaso with minimum hassle.<br />
<br />
If Docker does not fit your needs there are installation instructions available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html">Fedora</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="https://github.com/open-source-dfir/slack">Open Source DFIR slack</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.<br />
<div>
<br /></div>
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-34980075098681166182020-02-29T18:03:00.003-08:002020-05-10T22:45:56.584-07:00Plaso 20200227 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20200227 released</h2>
The Plaso team is pleased to announce a new Plaso release, 20200227. This is a relatively minor release, with only one significant user facing feature, the addition of Elasticsearch 7 support.<br />
<h3 style="text-align: left;">
Other changes</h3>
<br />
<ul style="text-align: left;">
<li>Full paths in Prefetch files are now path hints, since multiple possible full path candidates can exist, as <a href="https://github.com/Resolk">@Resolk</a> outlined in <a href="https://github.com/log2timeline/plaso/pull/2817">issue 2817</a>. </li>
<li>The 4n6time output modules were removed after checking with <a href="https://github.com/dnides">@dnides</a> about the <a href="https://github.com/log2timeline/plaso/issues/2809">status of the project</a>.</li>
<li>Added a filter file to ignore files in the WinSxS directory</li>
<li>We have noticed that some people are running significantly out of date versions of Plaso. Due to continuous format changes, bug fixes and improvements in Plaso and its dependencies we have added an out of date warning when Plaso is older than 6 months.</li>
</ul>
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/25">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
<br />
<ul style="text-align: left;">
<li>We are changing most of the formatters to be <a href="https://github.com/log2timeline/plaso/issues/444">configuration-file driven </a>so it will be easier for users to tweak the format of event messages.</li>
<li>We are planning to further improve the AMCache.hve parser to <a href="https://github.com/log2timeline/plaso/issues/2790">support more types of subkeys</a>.</li>
<li>Work on alternative Plaso storage back-ends like Redis and Elasticsearch is ongoing.</li>
</ul>
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20200227?</h3>
Per the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Plaso's Users' Guide</a>, we recommend using <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a> to install Plaso with minimum hassle.<br />
<br />
If Docker does not fit your needs there are installation instructions available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html">Fedora</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="https://github.com/open-source-dfir/slack">Open Source DFIR slack</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.<br />
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-90665587514133318762020-01-30T13:23:00.002-08:002020-01-30T13:27:22.365-08:00Plaso 20200121 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20200121 released</h2>
The Plaso team is pleased to announce the release of the first Plaso for 2020, Plaso 20200121. This is a relatively minor release with only one significant user facing feature, the addition of NTFS path hints. Thanks to <a href="https://github.com/stbe">stbe</a> for providing the first iteration of this useful feature!<br />
<h3 style="text-align: left;">
Other changes</h3>
<br />
<ul style="text-align: left;">
<li><a href="https://github.com/log2timeline/plaso/pull/2794">Support </a>for a new WebCacheV01 format, with thanks to <a href="https://github.com/ant1">ant1</a> for creating sample files</li>
<li><a href="https://github.com/log2timeline/dfvfs/issues/181">Migration to Cryptography.io</a>, as pycrypto appears to be unmaintained (<a href="https://pypi.org/project/pycrypto/#history">the last release was in 2013</a>)</li>
<li>Removal of <a href="https://github.com/log2timeline/l2tdevtools/issues/769">Python 2.7 and 3.4 support</a></li>
<li>We are no longer providing PyInstaller packaged versions. If you need a PyInstaller build we recommend <a href="http://www.pyinstaller.org/">sponsoring</a> the PyInstaller project and using <a href="https://plaso.readthedocs.io/en/latest/sources/developer/Packaging%20with%20pyinstaller.html">these instructions</a> to build a PyInstaller packaged version of Plaso.</li>
</ul>
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/24">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
4n6time appears to be abandoned, so the next release will <a href="https://github.com/log2timeline/plaso/issues/2809">remove support</a> for this output mode.<br />
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20200121?</h3>
See Plaso's <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Users' Guide</a>, we recommend using <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker </a>to install Plaso without having to separately install the dependencies.<br />
<br />
If Docker does not fit your needs there are installation instructions available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu </a>and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html">Fedora</a>. Note that as we're no longer providing PyInstaller builds, you will have to either manually install Plaso and its dependencies, or <a href="https://plaso.readthedocs.io/en/latest/sources/developer/Packaging%20with%20pyinstaller.html">make your own PyInstaller package</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="https://github.com/open-source-dfir/slack">Open Source DFIR slack</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-69730591715436843452020-01-03T12:24:00.002-08:002020-01-03T12:24:30.548-08:00Plaso 20191203 Released<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<h2 style="text-align: left;">
Plaso 20191203 released</h2>
<div>
After a bit of a delay in publication, the Plaso team is pleased to announce the release of Plaso 20191203.</div>
<div>
<br /></div>
<div>
<h3 style="text-align: left;">
New features</h3>
</div>
<div>
<ul style="text-align: left;">
<li>A linux tagging file thanks to new contributor <a href="https://github.com/pyllyukko">pyllyukko</a></li>
<li>A parser for the <a href="https://www.netresec.com/?page=Networkminer">networkminer </a>fileinfos file</li>
<li>The <a href="https://plaso.readthedocs.io/en/latest/sources/user/Using-image_export.html">image_export</a> tool now outputs a JSON file containing data about the files it extracted.</li>
</ul>
<h3 style="text-align: left;">
Other changes</h3>
</div>
<div>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/22">release milestone</a>. </div>
<div>
<br /></div>
<div>
<h3 style="text-align: left;">
Where/how to get Plaso 20191203?</h3>
</div>
<div>
<div>
See Plaso's <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Users' Guide</a>. Installation instructions are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html">Fedora Cor</a>e and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.</div>
<div>
<br /></div>
<div>
If you run into problems take a look at the <span id="goog_1721086642"></span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problem<span id="goog_1721086643"></span>s </a>page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="https://github.com/open-source-dfir/slack">Open Source DFIR slack</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</div>
</div>
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-16302515470340562122019-11-21T11:38:00.000-08:002019-11-21T11:38:15.408-08:00Plaso 20190916 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<br /></div>
<h2 style="text-align: left;">
Plaso 20190916 released</h2>
<div>
<div>
After a longer than usual release process due to lack of maintainer availability, the Plaso team are glad to announce a new Plaso release, 20190916. </div>
<h3 style="text-align: left;">
New parsers</h3>
<div>
<ul style="text-align: left;">
<li><a href="https://github.com/log2timeline/plaso/pull/2710">APT history</a> by new contributor <a href="https://github.com/js-forensic">js-forensic</a></li>
<li><a href="https://github.com/log2timeline/plaso/pull/2703">VSFTP</a> by new contributor <a href="https://github.com/bodik">bodik</a></li>
<li><a href="https://github.com/log2timeline/plaso/pull/2699">BAM registry key</a> also by <a href="https://github.com/js-forensic">js-forensic</a></li>
<li><a href="https://github.com/log2timeline/plaso/pull/2687">SetupAPI log</a> by <a href="https://github.com/js-forensic">js-forensic</a></li>
</ul>
</div>
<h2 style="text-align: left;">
Other new features</h2>
<div>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/21">release milestone.</a> </div>
<div>
<br /></div>
<h2 style="text-align: left;">
Distribution changes</h2>
<div>
For this release, we’re not providing a binary build for MacOS. This is due to the change in Python versions between MacOS 10.15 (Catalina) and previous versions, as well as Apple’s notes about possibly not including them in <a href="https://developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_release_notes">future releases</a>. For now, we recommend MacOS users do a <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Source-Release.html">source installation</a>. We’ll keep an eye on this situation and possibly provide a packaged release again the future.</div>
<div>
<br /></div>
<div>
The future of the PyInstaller project is uncertain, it is actively <a href="https://www.pyinstaller.org/funding.html">looking for funding</a>. If you rely on the Plaso PyInstaller packed release we suggest funding the PyInstaller project. Going forward we therefore are unlikely to provide PyInstaller build for Windows. </div>
<div>
<br /></div>
<div>
There now is a Fedora 31 release available, but this meant removing lz4 as a required dependency for the time being. See this <a href="https://github.com/log2timeline/l2tdevtools/issues/752">issue</a> for more context. </div>
<div>
<br /></div>
<h2 style="text-align: left;">
Where/how to get Plaso 20190916?</h2>
<div>
See Plaso's <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Users' Guide</a>. As usual, builds are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html">Fedora</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.</div>
<div>
<br /></div>
<div>
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="https://github.com/open-source-dfir/slack">Open Source DFIR slack</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</div>
</div>
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-58592339524827776382019-07-16T02:43:00.002-07:002019-08-10T14:56:00.104-07:00Plaso 20190708 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20190708 released</h2>
The Plaso team are delighted to announce a new Plaso release, 20190708. Most of the changes in this release are internal: refactoring, cleaning up and fixing bugs.<br />
<br />
One series of user-facing changes is some refactoring of the Windows Registry plugins. The ‘regvalue’ attribute has been removed from these plugins, and these plugins now produce events with different attributes. For now Plaso continues to support ‘regvalue’ in older Plaso storage files, note that some point this support will also <a href="https://github.com/log2timeline/plaso/issues/2630">be removed</a>.<br />
<br />
If you have any automation/templates relying on these values, you may need to update. Don’t hesitate to reach out to make sure we understand your use case(s).<br />
<h3 style="text-align: left;">
Other new features</h3>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/20">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
As part of the <a href="https://pythonclock.org/">Python 2 retirement</a> on January 1, 2020, this is the last release where we’ll provide a Python 2.7 PyInstaller build, these will be Python 3 only from now on. We’ll also no longer provide a 32-bit PyInstaller build for Windows.<br />
We have also removed most of the older PyInstaller builds since we were made aware people were actively using this. We strongly encourage to use the most recent release of Plaso, since data formats and dependencies change, bugs get addressed and new features get added continuously.<br />
In the next release, we’ll also not supply a Python 2.7 release for MacOS. We’ll provide more detail on MacOS installation at the time.<br />
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20190708?</h3>
See Plaso's <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Users' Guide</a>. As usual, builds are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Packaged-Release.html">Fedora</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.<br />
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-41897557344036892662019-06-03T07:57:00.000-07:002019-06-03T07:57:55.944-07:00Plaso 20190531 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20190531 released</h2>
The Plaso team are pleased to announce a new Plaso release, 20190531. There are some substantial changes to the way the both event and collection filters work in this release, and a couple of other goodies too.<br />
<h3 style="text-align: left;">
Event filters</h3>
Support for filtering on the event message string as well as the short or long source values have been <a href="https://github.com/log2timeline/plaso/issues/2525">removed</a>. These filters are used in <a href="https://plaso.readthedocs.io/en/latest/sources/user/Using-psort.html?highlight=filter">psort</a> directly, and also power the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Analysis-plugin-tagging.html">tagging analysis plugin</a>.<br />
If you have tag files that use an expression like “message contains ‘command’”, you’ll need to update these to refer to the specific fields you’re interested in filtering on. <br />
More information can be found in the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Event-filters.html">event filter documentation</a>.<br />
<h3 style="text-align: left;">
Collection filters</h3>
This release includes a much requested feature: excluding certain <a href="https://github.com/log2timeline/plaso/issues/1537">paths from processing</a>. This has necessitated adding a new collection filter format, however - the older text format does not support exclusion.<br />
So, read up on the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Collection-Filters.html#text-based-filter-file-format">YAML format</a> and enjoy some lower processing times. The YAML format is supported by all the Plaso tools that support collection filters - <a href="https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html">log2timeline</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Creating-a-timeline.html#using-psteal">psteal</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Using-image_export.html">image_export</a>.<br />
<br />
More information can be found in the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Collection-Filters.html#yaml-based-filter-file-format">collection filter documentation</a>.<br />
<h3 style="text-align: left;">
Other new features</h3>
<div style="text-align: left;">
We’ve also added a few features in this release, specifically:</div>
<ul style="text-align: left;">
<li>Mac OS Notes SQLite plugin with thanks to new contributor <a href="https://github.com/alimez">@alimez</a>.</li>
<li>Initial version of a Mac OS knowledgeC.db parser with thanks to <a href="https://github.com/moxilo">@moxilo</a>.</li>
<li>A file hashing plugin that calculates byte entropy.</li>
</ul>
<br />
<br />
The Mac parsers will be enabled automatically when Plaso detects that it’s processing a MacOS image. The entropy plugin needs to be enabled specifically, using the <span style="font-family: Courier New, Courier, monospace;">--hashers entropy</span> argument.<br />
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/19">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
<a href="https://github.com/log2timeline/plaso/issues/1537">More collection filter changes</a> like data stream support to follow in future releases.<br />
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20190531?</h3>
See Plaso's <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Users' Guide</a>. As usual, builds are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html">Fedora Core</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.<br />
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-45885633185814776422019-05-21T12:49:00.000-07:002019-05-21T12:50:43.382-07:00Plaso 20190429 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20190429 released</h2>
A little later than usual, the Plaso team are glad to announce a new Plaso release, 20190429. A few user-facing things you might notice:<br />
<br />
<ul style="text-align: left;">
<li>We’ve changed the shebangs to Python 3, this means if Plaso tools are run without a specific Python version on Linux and MacOS a Python 3 interpreter will be invoked.</li>
<li>Psort now shows the event counters as part of the status view.</li>
<li>Extraction errors have been renamed to warnings, to reflect that these don't necessarily indicate a fatal condition.</li>
</ul>
<br />
<h3 style="text-align: left;">
Other changes</h3>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/18?closed=1">release milestone</a>.<br />
<h3 style="text-align: left;">
Future plans</h3>
As <a href="http://blog.kiddaland.net/2019/04/plaso-20190331-released.html">flagged previously</a>, we’re ending support for Ubuntu Xenial. While there is a packaged release on 20190429, there will be no further releases for Xenial.<br />
<br />
Note that version 20190429 of plaso-tools for Xenial and Bionic use Python 3. If you use multiple package managers (for example, pip and apt) make sure to use the right versions.<br />
<br />
We strongly encourage the use of a single package manager to prevent issues due to Python version conflicts.<br />
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20190429?</h3>
See <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Plaso's Users' Guide</a>. As usual, builds are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html">Fedora Core</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.<br />
<br />
If you run into problems take a look at the <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html">Installation Problems</a> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the <a href="mailto:log2timeline-discuss@googlegroups.com">discuss mailing list</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue on the tracker</a>.</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-88437147876738662392019-04-02T08:03:00.000-07:002019-04-29T22:33:27.757-07:00Plaso 20190331 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20190331 released</h2>
The Plaso team are glad to announce a new Plaso release, 20190331. Most of the changes in this release are under-the-hood improvements. A few user-facing things you might notice:<br />
<ul style="text-align: left;">
<li>Log output from tools will be output to a file by default, and not just printed to the terminal.</li>
<li>There’s a new --troubles option, which provides some debugging and troubleshooting information</li>
<li>A lot of bug fixes and improvements in the Artifact filter support</li>
<li>Elasticsearch5 support has been removed, as this version is now at <a href="https://www.elastic.co/support/eol">end-of-life</a></li>
</ul>
<h3 style="text-align: left;">
Other changes</h3>
<div style="text-align: left;">
Support for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Event-filters.html">event filters</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Analysis-plugin-tagging.html">tagging</a> has been changed from efilter back to object filter, removing efilter as a dependency. File and artifact filtering has not changed. </div>
<div style="text-align: left;">
<br /></div>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/17?closed=1">release milestone</a>.<br />
<h4 style="text-align: left;">
Future plans</h4>
As flagged before, we’re on track to remove support for Python 2 and we will default to <a href="https://github.com/log2timeline/plaso/issues/2403">Python 3 next in the next release</a>.<br />
<br />
Due to the age of some of the packages and support libraries in Ubuntu Xenial (16.04) we are considering ending support for a packaged version of Plaso for Xenial in the short term and will very likely be the last Xenial release provided by GIFT PPA.<br />
<br />
Note that version 20190331 of plaso-tools for Xenial and Bionic use Python 2. The previous version of plaso-tools, 20190131, defaulted to Python 3 on Xenial which caused some grief with installations that used multiple package managers e.g. pip and apt.<br />
We strongly encourage the use of a single package manager to prevent issues due to Python version conflicts.<br />
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20190331?</h3>
See <a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html">Plaso's Users' Guide</a>. As usual, builds are available for <a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html">Docker</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">MacOS</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html">Ubuntu</a>, <a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html">Fedora Core</a> and <a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html">Windows</a>.<br />
<br />
If you run into problems take a look at the Installation Problems page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss <a href="mailto:log2timeline-discuss@googlegroups.com">mailing list</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue on the tracker</a>.</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-72162353765219700872019-02-01T23:51:00.000-08:002019-02-01T23:51:31.251-08:00Plaso 20190131 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Plaso 20190131 released</span>
</div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Plaso team is pleased to announce a new Plaso release, 20190131. Most of the changes in this release are under-the-hood improvements.</span>
</div>
<h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Preset changes</span>
</h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">One user-facing change is that the parser-preset system has changed to use a YAML configuration format. This makes it a bit easier for users to generate and maintain custom sets of parsers they want to apply. </span>
<br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">If you want to use your own presets, use the data_location argument to </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">log2timeline</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> or </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Creating-a-timeline.html?highlight=psteal" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">psteal</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> to specify a directory containing a presets.yaml file. For an example of file format, see the </span><a href="https://github.com/log2timeline/plaso/blob/master/data/presets.yaml" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">defaults presets</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> we ship. </span>
</div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Distribution changes</span>
</h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As mentioned in our </span><a href="http://blog.kiddaland.net/2018/12/plaso-20181219-released.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">last release announcement</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, we’re no longer providing builds for Ubuntu Trusty (14.04).</span>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As part of the changes to support Python 3, we’ve removed </span><a href="https://github.com/vstinner/hachoir" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Hachoir</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> from Plaso. We’re going to continue looking at what to do with Hachoir, possibly replacing some if its parsing functionality directly in Plaso, or using the newer, Python 3 only version of Hachoir once we’ve removed support for Python 2. However Hachoir’s GPL license makes this challenging (see </span><a href="https://en.wikipedia.org/wiki/License_compatibility" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">https://en.wikipedia.org/wiki/License_compatibility</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> for more context).</span>
<br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://github.com/log2timeline/l2tpreg" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">l2tpreg</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, one of projects spun out of the Plaso core has been archived, and the log2timeline team won’t be making further changes to it.</span>
</div>
<h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Other changes</span>
</h2>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the</span><a href="https://github.com/log2timeline/plaso/milestone/16?closed=1" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">release milestone</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span>
</div>
<b id="docs-internal-guid-0aab4fdd-7fff-933a-6d57-bfe8126ce44d" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Where/how to get Plaso 20190131?</span>
</div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See Plaso's </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Users' Guide</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. As usual, builds are available for </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Docker</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">MacOS</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Ubuntu</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Fedora Core</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Windows</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span>
</div>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I</span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">f you run into problems take a look at the </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">log2timeline-discuss@googlegroups.com</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> or</span><a href="https://github.com/log2timeline/plaso/issues/new" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">open an issue</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> on the tracker.</span>
</div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-33437463762924031912018-12-20T04:34:00.002-08:002018-12-20T04:34:54.678-08:00Plaso 20181219 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Plaso 20181219 released</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Plaso team is thrilled to announce a new Plaso release, 20181219. As you might expect, this will be the last release for 2018. A couple of the more notable changes and additions are called out below.</span></div>
<h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">APFS</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">One of the biggest features in this release is initial support for Apple File System (APFS). Support is provided via </span><a href="https://github.com/libyal/libfsapfs" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">libfsapfs/pyfsapfs</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. Encrypted APFS is supported, as are the most common compression modes (zlib, LZVN), and we’re planning to add support for snapshots, resource forks and other compression modes (LZFSE) over the coming months.</span></div>
<h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Documentation move and scaffolder</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">A question we’re often asked is how to contribute to Open Source tools like Plaso, so we’ve done a few things to hopefully make this easier for contributors. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Documentation has been moved to a new home on </span><a href="https://plaso.readthedocs.io/en/latest/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">readthedocs</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, which has a helpful “Edit on GitHub” link in the top right. If you see a problem, or want to add something, it’s now very straightforward to do the edit on GitHub, and send the maintainers a pull request to improve things for everyone.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The other couple of things we’ve added are </span><a href="https://github.com/log2timeline/l2tdevtools/wiki/Develop-script" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">a script </span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">to make bootstrapping a Dockerized development environment easy, and a </span><a href="https://l2tscaffolder.readthedocs.io/en/latest/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">scaffolder</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> that automatically generates the needed files for a new parser or plugin. To begin with the scaffolder only supports creating a new SQLite plugin, but support for more plugins and parsers are in the works.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There’s still plenty more we’d like to do to make development more accessible, so look forward to further advancements in the near future.</span></div>
<h2 dir="ltr" style="line-height: 1.656; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Other changes</span></h2>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Some of the more noteworthy user-facing features in this release are:</span></div>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;"></span><br />
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;">
<li><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline;">Support for </span><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline;"><a href="https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc#32-artifact-group-source" style="text-decoration-line: none;">artifact definition groups</a></span></li>
<li>SSL support for Elasticsearch, courtesy of new contributor <a href="https://github.com/cugu" style="font-size: 11pt;">cugu</a><span style="font-size: 11pt;">.</span></li>
<li>Binary releases of Plaso for Python 3 for Ubuntu Linux.</li>
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;">Packages in <a href="https://launchpad.net/~gift" style="font-size: 11pt;">GIFT</a><span style="font-size: 11pt;"> for Ubuntu Bionic (18.04 LTS).</span></li>
</span></ul>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre;">
</span><br />
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
</ul>
<b id="docs-internal-guid-a8975a2a-7fff-a7f6-5e79-ed02fea23a7e" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the</span><a href="https://github.com/log2timeline/plaso/milestone/14?closed=1" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">release milestone</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br /></span></div>
<span style="font-family: "arial"; font-size: 16pt;">Future plans</span><br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As flagged before, we’re planning to drop support for Python 2 in 2019, and this will be the last release where we publish packages for Ubuntu Trusty (14.04).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Where/how to get Plaso 20181219?</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See Plaso's </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Users' Guide</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. As usual, builds are available for </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Docker</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/MacOS-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">MacOS</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Ubuntu-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Ubuntu</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Fedora-Core-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Fedora Core</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and</span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Windows-Packaged-Release.html" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Windows</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I</span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">f you run into problems take a look at the </span><a href="https://plaso.readthedocs.io/en/latest/sources/user/Installation-Problems.html" style="text-decoration: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> page in the Plaso documentation, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">log2timeline-discuss@googlegroups.com</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> or</span><a href="https://github.com/log2timeline/plaso/issues/new" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">open an issue</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> on the tracker.</span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-24706644074508343432018-10-01T10:43:00.000-07:002018-10-01T13:59:53.931-07:00Plaso 20180930 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20180930 released</h2>
<div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"></span><br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">The Plaso team is delighted to announce a new Plaso release, 20180930. We have a mix of behind the scenes improvements and user facing features.</span></span></div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9">
</span>
<div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span id="docs-internal-guid-3f449e4c-7fff-788e-4a9e-857b174a1024"></span></span><br /></span>
<div dir="ltr" style="font-family: Arial; font-size: 11pt; line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt; white-space: pre-wrap;">
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span id="docs-internal-guid-3f449e4c-7fff-788e-4a9e-857b174a1024"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Behind the scenes, we’ve updated Plaso to work with Python 3, as well as migrated fully to dtFabric for binary format parsing (and updated our </span><a href="https://github.com/libyal/dtformats/tree/master/documentation" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline;">format documentation</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">). As a result of this migration, we’ve bid farewell to construct, which simplifies dependencies a bit. </span></span></span></span></div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span id="docs-internal-guid-3f449e4c-7fff-788e-4a9e-857b174a1024">
</span></span></span>
<div dir="ltr" style="font-family: Arial; font-size: 11pt; line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt; white-space: pre-wrap;">
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span id="docs-internal-guid-3f449e4c-7fff-788e-4a9e-857b174a1024"><span id="docs-internal-guid-cf42d89e-7fff-9b6e-f85d-b9ade95c4c2c">We’re planning to discontinue Python 2 support in the near future, likely in the first release of 2019. If this if you think the removal of Python 2 support will cause you problems, please reach out to the development team. We aren’t providing Python 3 Plaso binary builds at the moment, but we plan to in the near future.</span></span></span></span></div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9"><span style="font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><span id="docs-internal-guid-3f449e4c-7fff-788e-4a9e-857b174a1024">
<div dir="ltr" style="font-family: Arial; font-size: 11pt; line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt; white-space: pre-wrap;">
<span style="font-size: 11pt;">Some of the more noteworthy user-facing features in this release are:</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<ul style="text-align: left;">
<li>New plugins for parsing <a href="https://github.com/log2timeline/plaso/blob/20180930/plaso/parsers/sqlite_plugins/tango_android.py">Tango</a> and <a href="https://github.com/log2timeline/plaso/blob/20180930/plaso/parsers/sqlite_plugins/twitter_android.py">Twitter</a> databases on Android</li>
<li>New parser for the <a href="https://github.com/log2timeline/plaso/blob/20180930/plaso/parsers/sqlite_plugins/mac_notificationcenter.py">macOS NotificationCenter</a> database by new contributor <a href="https://github.com/pstirparo">pstirparo</a></li>
<li>New parsers for <a href="https://github.com/log2timeline/plaso/blob/20180930/plaso/parsers/apache_access.py">Apache access logs</a> and <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/santa.py">Santa</a></li>
<li>Improved parsing for the <a href="https://github.com/log2timeline/plaso/commit/18f4ef033029b5d4dc2a6991964ea822ecdaad5d">Chrome Cookies database</a> on newer versions of Chrome, thanks to new contributor <a href="https://github.com/obsidianforensics">obsidianforensics</a></li>
</ul>
<div>
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/14?closed=1">release milestone</a>. </div>
<br />
<h3 style="text-align: left;">
Where/how to get Plaso 20180930?</h3>
<div>
See <a href="https://github.com/log2timeline/plaso/wiki/Users-Guide">Plaso's Users' Guide</a>. As usual, builds are available for <a href="https://github.com/log2timeline/plaso/wiki/Installing-with-docker">Docker</a>, <a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release">MacOS</a>, <a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release">Ubuntu</a>, <a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release">Fedora Core</a> and <a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release">Windows</a>.<br />
<br />
If you run into problems take a look at the Installation Problems page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</div>
</span></span></span></div>
<span id="docs-internal-guid-cac9a300-7fff-66e5-8920-ba0daccd8dd9">
</span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-38324559398349924972018-08-20T06:39:00.001-07:002018-08-20T06:39:32.083-07:00Plaso 20180818 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20180818 released</h2>
The Plaso team is pleased to announce a new Plaso release, 20180818. We’ve continued our work on migrating Plaso to Python 3, and moving binary parsing to use <a href="https://github.com/libyal/dtfabric">dtFabric</a>, but we’re aren’t quite ready to fully migrate just yet.<br />
<br />
A side effect of the dtFabric migration is that most of the binary-format parsers have been substantially rewritten, and are likely to be more strict parsing file-formats. If you spot any files not being parsed as they were in previous versions, please let us know by <a href="https://github.com/log2timeline/plaso/issues/new">opening an issue</a>.<br />
<br />
Some of the more noteworthy user-facing features in this release are:<br />
<br />
<ul style="text-align: left;">
<li>A <a href="https://github.com/log2timeline/plaso/commit/a4d69477944a9797479c2f0872276e021a21c20d">parser</a> for the Windows 10 User Timeline database by new contributor <a href="https://github.com/everestmz">everestmz</a></li>
<li><a href="https://github.com/log2timeline/plaso/commit/a7e4621ec7a65014639dd21b66453432aa504f8e">Changes</a> to the Chrome history parser to hopefully handle new versions of Chrome more effectively</li>
<li>Plugins for <a href="https://github.com/log2timeline/plaso/commit/872e2dbca1618ea6167f8acafabdd98fe9e4a688">Google Hangouts and Kodi </a>from new contributor <a href="https://github.com/infosecjosh">infosecjosh</a>. These plugins were part of the winning solution to the <a href="https://www.dfrws.org/announcements">DFRWS 2017 forensic challenge</a>.</li>
<li><a href="https://github.com/log2timeline/plaso/commit/a1b043d3b03c32e1ea5cce17a0ae78e6d6f2ce84">Support</a> for lz4 compressed systemd journal events.</li>
</ul>
<br />
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/13?closed=1">release milestone.</a><br />
<h3 style="text-align: left;">
Where/how to get Plaso 20180818?</h3>
See <a href="https://github.com/log2timeline/plaso/wiki/Users-Guide">Plaso's Users' Guide</a>. As usual, builds are available for <a href="https://github.com/log2timeline/plaso/wiki/Installing-with-docker">Docker</a>, <a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release">MacOS</a>, <a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release">Ubuntu</a>, <a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release">Fedora Core</a> and <a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release">Windows</a>.<br />
<br />
If you run into problems take a look at the Installation Problems page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-61554275019861851882018-07-02T03:51:00.000-07:002018-07-06T04:29:41.511-07:00Plaso 20180630 released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
Plaso 20180630 released</h2>
The Plaso team is pleased to announce a new Plaso release, 20180630. Behind the scenes, we’ve been working on <a href="https://github.com/log2timeline/plaso/projects/9">migrating Plaso to Python 3</a>, and moving binary parsing to use <a href="https://github.com/libyal/dtfabric">dtFabric</a>.<br />
<br />
The big user-facing feature for this release is filtering using <a href="https://github.com/ForensicArtifacts/artifacts/">Forensic Artifacts</a>. The new parameters to look out for to use this feature are:<br />
<br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "courier new" , "courier" , monospace;">--artifact_filters</span>, which you can use to have log2timeline.py or image_export.py only process certain specific forensic artifacts. For example, if you’re only interested in the windows security event log for a specific image, you might invoke log2timeline as log2timeline.py --artifact_filters WindowsEventLogSecurity security_event_log.plaso image.dd</li>
<li><span style="font-family: "courier new" , "courier" , monospace;">--artifact_filters_file</span>, which similarly lists specific artifacts Plaso should process, but reads from a file, not directly from the command line. This might be useful to create standardized artifact lists for processing multi images for a specific case, or as part of a triage workflow.</li>
<li><span style="font-family: "courier new" , "courier" , monospace;">--custom_artifact_definitions</span>, which specifies a path to a file containing artifact definitions. By default, Plaso will look for artifacts defined in your installed version of the <a href="https://github.com/ForensicArtifacts/artifacts/releases">Forensic Artifacts library</a>, but if you have specific things you want to check for in your own environment, or for a specific case, you can tell Plaso about them using this argument. </li>
</ul>
<br />
<br />
There’s more information on how to use all these command line arguments available via the <span style="font-family: "courier new" , "courier" , monospace;">--help</span> argument.<br />
<br />
Specific guidance on how to write new artifacts is available in the <a href="https://github.com/ForensicArtifacts/artifacts/blob/master/docs/Artifacts%20definition%20format%20and%20style%20guide.asciidoc">project’s wiki.</a> One important note - Plaso only supports filtering files and the Windows Registry keys at present. Artifacts with the COMMAND and WMI source types aren’t supported.<br />
<br />
As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the release milestone.<br />
<br />
<h2 style="text-align: left;">
Where/how to get Plaso 20180630?</h2>
See Plaso's <a href="https://github.com/log2timeline/plaso/wiki/Users-Guide">Users' Guide</a>. As usual, builds are available for <a href="https://github.com/log2timeline/plaso/wiki/Installing-with-docker">Docker</a>, <a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release">MacOS</a>, <a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release">Ubuntu</a>, <a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release">Fedora Core</a> and <a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release">Windows</a>.<br />
<br />
If you run into problems take a look at the Installation Problems page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue </a>on the tracker.<br />
<div>
<br /></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-17159825479822202352018-05-24T09:57:00.002-07:002018-05-24T10:08:46.403-07:00Plaso 20180524 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; ">Plaso 20180524 released</span></div>
<h2 style="text-align: left;">
<span id="docs-internal-guid-ba295270-9310-75c5-56d8-361fc3d82d08" style="font-weight: normal;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">The Plaso team is pleased to announce a new Plaso release, 20180524. A few highlights from this release:</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;"><li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; "><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; ">A </span><a href="https://github.com/log2timeline/plaso/commit/010f9cbdfc82e21ed6658657fd09a7b44115c464" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline; ">new parser for Trend Micro antivirus logs</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; ">, courtesy of new contributor </span><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline; "><a href="https://github.com/puccia" style="text-decoration-line: none;">puccia</a></span></div>
</li>
<li dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; "><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; ">The </span><a href="https://github.com/log2timeline/plaso/commit/1c1647f0bb98e695b3740028ecbca38f140e8633" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline; ">Google Drive Sync parser</span></a><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; ">, courtesy of new contributor </span><a href="https://github.com/johngalvin" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; vertical-align: baseline; ">johngalvin</span></a></div>
</li></ul></span><div style="text-align: left;"><span style="font-family: "arial"; font-size: 11pt; font-weight: normal; vertical-align: baseline; "><br /></span></div>
<div style="text-align: left;"><span style="font-family: "arial"; font-size: 11pt; font-weight: normal; vertical-align: baseline; ">As usual, there’s a bunch of cleanups, performance tweaks and bug fixes, the full list of which are available in the </span><a href="https://github.com/log2timeline/plaso/milestone/9?closed=1" style="font-weight: normal;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">release milestone</span></a><span style="font-family: "arial"; font-size: 11pt; font-weight: normal; vertical-align: baseline; ">. </span></div>
<div style="text-align: left;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: normal; vertical-align: baseline; "><br /></span></div>
<span style="font-weight: normal;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 20pt; ">Where/how to get Plaso 20180524?</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">See Plaso's </span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration-line: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">Users' Guide</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">. As usual, builds are available for</span><a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release" style="text-decoration-line: none;"><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> </span><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">MacOS</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">, </span><a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">Ubuntu</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">, </span><a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">Fedora Core</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> and </span><a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">Windows</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">.</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">I</span><span style="background-color: white; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">f you run into problems take a look at the </span><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration-line: none;"><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">Installation Problems</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; "><a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a></span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> or</span><a href="https://github.com/log2timeline/plaso/issues/new" style="text-decoration-line: none;"><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> </span><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; ">open an issue</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "> on the tracker.</span></div>
<div>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; "><br /></span></div>
</span></h2>
</div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-74395899232192445652018-01-28T05:37:00.000-08:002018-01-28T05:37:59.599-08:00Plaso 20180127 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Plaso 20180127 released</span></div>
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">The Plaso team is pleased to announce its first 2018 release, Plaso 20180127. A few highlights from this release:</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"><br class="kix-line-break" /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">We’ve updated the Chrome History SQLite plugin to be more strict about which version of the Chrome history file it’s parsing, and produce fewer spurious error messages.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Initial support for parsing System Resource Usage Monitor (SRUM) databases (SRUDB.dat) has been added, based on </span><a href="http://forensicswiki.org/wiki/Windows_8#System_Resource_Utilization_Manager_.28SRUM.29" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">previous work</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">There’s a new parser for processing MacOs FSEventsd files, from Leopard to High Sierra, inspired by Nicole Ibrahim’s OSDFCon 2017 </span><a href="http://www.osdfcon.org/presentations/2017/Ibrahim-Understanding-MacOS-File-Ststem-Events-with-FSEvents-Parser.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">presentation</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">A basic sessionize analysis plugin has been added, which we’ll extend in the future to support functionality like Timesketch’s </span><a href="https://github.com/google/timesketch/issues/499" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">event similarity scoring</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. This work was catalysed by work like </span><a href="http://old.dfrws.org/2016eu/proceedings/DFRWS-EU-2016-13.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">David Gresty’s (et. al)</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> from DFRWS EU 2016.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As indicated </span><a href="http://blog.kiddaland.net/2017/12/plaso-20171231-released.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">previously</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">, the ZIP storage implementation has been removed. </span></div>
</li>
</ul>
<b id="docs-internal-guid-8d809081-3b91-9e9f-3d42-8cb4905c93e4" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">As usual, there’s a bunch of cleanups and bug fixes, the full list of which are available in the</span><a href="https://github.com/log2timeline/plaso/milestone/9?closed=1" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">release milestone</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. </span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline;">One minor </span><a href="https://github.com/log2timeline/plaso/issues/1687" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline;">issue</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline;"> made it in to the release, event counts by parser will be incorrect in this release, and we’ll fix it up for the February version. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">Where/how to get Plaso 20180127?</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">See Plaso's</span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Users' Guide</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">. As usual, builds are available for</span><a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">MacOS</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Ubuntu</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">,</span><a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Fedora Core</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> and</span><a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Windows</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">.</span></div>
<br />
<div dir="ltr" style="line-height: 1.656; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">I</span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">f you run into problems take a look at the</span><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;">log2timeline-discuss@googlegroups.com</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> or</span><a href="https://github.com/log2timeline/plaso/issues/new" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline;">open an issue</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline;"> on the tracker.</span></div>
</div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-44736708148785214962017-12-31T04:14:00.002-08:002017-12-31T04:31:03.911-08:00Plaso 20171231 released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso 20171231 released</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div style="text-align: left;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Squeaking out just before the end of the year, the Plaso team is delighted to release Plaso 20171231. This will be the last release for 2017 😉. A few highlights from this release:</span><br />
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">We introduced the SQLite Plaso storage file support a back in <a href="http://blog.kiddaland.net/2017/10/drink-joyful-good-mead-plaso-20170925.html">Heimdall</a>. In </span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">20171231 </span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">it’s now the default, and the older ZIP format is deprecated.</span></li>
<ul>
<li>The biggest changes you’ll notice are that storage files are a bit larger, and extraction speed faster. </li>
<li>If you need to use the old ZIP storage, run log2timeline.py with the ‘--storage-format=zip’ option.</li>
<li>We’re planning to remove the ZIP storage completely in the next release in January, which will unblock a few other changes, allowing us to shrink the SQLite storage file size.</li>
</ul>
<li>A new SQLite parser plugin to handle Safari’s newer history format thanks to new contributor <a href="https://github.com/chimau" style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">@chimau</a><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">.</span></li>
<li>Updates to <a href="https://github.com/log2timeline/dfvfs" style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">dfvfs</a><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;"> to support </span><a href="https://github.com/sleuthkit/sleuthkit/releases/tag/sleuthkit-4.5.0" style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">libstk 4.5.0</a><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;"> and multi-member gzip files, needed for upcoming fsevents support.</span></li>
<li>Nicer looking partition and VSS overviews in log2timeline.</li>
</ul>
</div>
</div>
<div style="text-align: left;">
<b id="docs-internal-guid-b6177576-ab71-e886-3885-ea378643c977" style="font-weight: normal;"><br /></b>
</div>
<div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As usual, there’s a bunch of cleanups and bug fixes, the full list of which are available in the <a href="https://github.com/log2timeline/plaso/milestone/7?closed=1">release milestone</a>.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<span style="font-family: "arial"; font-size: 20pt; white-space: pre-wrap;">Where/how to get Plaso 20171231?</span><br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">See Plaso's</span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span></a><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">. As usual, builds are available for <a href="https://github.com/log2timeline/plaso/wiki/MacOS-Packaged-Release">MacOS</a>, <a href="https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release">Ubuntu</a>, <a href="https://github.com/log2timeline/plaso/wiki/Fedora-Core-Packaged-Release">Fedora Core</a> and <a href="https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release">Windows</a>.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">f you run into problems take a look at the</span></a><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><span style="background-color: transparent; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; vertical-align: baseline; white-space: pre-wrap;"><a href="mailto:log2timeline-discuss@googlegroups.com" style="color: #1155cc; text-decoration: none;">log2timeline-discuss@googlegroups.com</a> or <a href="https://github.com/log2timeline/plaso/issues/new">open an issue</a> on the tracker.</span></div>
<div>
<br /></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One other note - Richard Davis from the Youtube channel <a href="https://www.youtube.com/user/davisrichardg">13Cubed</a> recorded a short <a href="https://www.youtube.com/watch?v=JZGfhd1PNhU">introduction to Plaso</a>. While it was produced with Heimdall in mind, it's still largely applicable to this most recent release. If you're looking for a quickstart guide, it's worth a watch.</span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-13893966587952204852017-11-20T09:23:00.002-08:002017-12-31T04:15:29.132-08:00Plaso 20171118<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso 20171118 released</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Just a quick note to say that the Plaso development team has just released a new Plaso version, fixing a couple of small issues and adding a parser for Sophos Antivirus SAV logs. </span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Development update</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One other change we’ve made is to switch to GitHub code review, moving away from </span><a href="https://codereview.appspot.com/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Rietveld</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The updated pull request </span><a href="https://github.com/log2timeline/plaso/blob/master/.github/PULL_REQUEST_TEMPLATE.md" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">template</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> has the details on how this works.</span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Where/how to get Plaso 20171118?</span></h1>
<span id="docs-internal-guid-9d588997-da74-7f23-0791-55688f9ce49a"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">See Plaso's</span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration-line: none;"><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span><span style="color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">and if you run into problems take a look at the</span></a><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration-line: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><a href="mailto:log2timeline-discuss@googlegroups.com" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">log2timeline-discuss@googlegroups.com</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">.</span></span></div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-9218922310150732902017-10-02T06:14:00.000-07:002017-10-02T06:15:25.276-07:00Drink joyful the good mead - Plaso 20170930 Heimdall released<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 1pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Himinbiörg is the eighth, where Heimdall,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 1pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">it is said, rules o'er the holy fanes:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 1pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">there the gods' watchman, in his tranquil home,</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 1pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">drinks joyful the good mead</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://en.wikipedia.org/wiki/Benjamin_Thorpe" style="text-decoration: none;"><span style="background-color: white; color: #0b0080; font-family: "arial"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Thorpe, Benjamin</span></a><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (Trans.) (1866) </span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 9.5pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Elder Edda of Saemund Sigfusson</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: 9.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<b id="docs-internal-guid-e2e158b9-ba7b-0699-d89c-7422e4f42659" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Plaso development team is very pleased to announce the release of Plaso Heimdall, featuring a greatly increased version number. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Heimdall was the watchman of the gods in the Norse pantheon, and we’ve been keeping careful eye on our development and testing processes. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It’s been a little longer than we’d like between releases, so let’s talk about what’s been going on.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img height="272" src="https://lh4.googleusercontent.com/xePU7Ou5Tmb6eOY5yAQ8ujNvX46WefCoNjY13-A08TZXWZD8_aL0BxS6Ke6nZlEksmEaa80O-07MTmZEz_rKxRiXI3Bkv--TMWv7HwJP1y34j-T7IhtW8y2eDkFBRBcrMgXNodbg" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="300" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<span style="background-color: white; color: #767676; font-family: "times new roman"; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“Heimdall on the Rainbow Bridge” by Emil Doepler (1905)</span></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What’s changed since Plaso 1.5, Gna?</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As foreshadowed above, we’ve switched to a date-based version format. Part of the reason for doing this is to enable more frequent smaller releases. Rather than having to manually switch version numbers in a file, we can promote a build from a test repository to stable, and we’re done. Look forward to more frequent releases in the near future.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This theme of under-the-hood changes and development improvements continues throughout the work that we’ve been doing. Along with the usual squashing of bugs and performance tweaks, we’ve overhauled the way that events are represented internally, via the creation of the <a href="https://github.com/log2timeline/dfdatetime">dfDateTime</a> library and the EventData object hierarchy.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/log2timeline/dfdatetime">dfDateTime </a>allows for the preservation of timestamp precision, as well as more sophisticated comparisons between different timestamps. The EventData change is a prerequisite for moving Plaso’s backend storage to a relational (SQL-like) backend. We’ve already started work on an SQLite storage implementation, and we’re going to focus more on this code immediately after release. We're going to start to give events a bit more structure, as the <a href="https://github.com/log2timeline/dfkinds">dfKinds</a> projects takes shape.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Another under-the-hood change was the modification of the preprocessor to use the<a href="https://github.com/ForensicArtifacts/artifacts"> Forensic Artifacts</a> library, to make this area of the codebase simpler and more extensible. We’re looking to expand our use of artifacts in near future as well.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To support our (hopefully) increased release cadence, we’ve also invested a bunch of effort in automated testing. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On top of that, we have had time to add some new features:</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New features</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On top of that, we have had time to add some new features:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New parsers and plugins</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New contributor <a href="https://github.com/rbdebeer">rbdebeer</a> has added a <a href="https://github.com/rbdebeer/plaso/blob/master/plaso/parsers/amcache.py">parser for Amcache</a> information on Windows </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As systemd continues to be picked by more and more Linux distributions, we’ve added a parser for the <a href="https://github.com/rbdebeer/plaso/blob/master/plaso/parsers/systemd_journal.py">binary Systemd journal</a>.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ChromeOS syslog support, courtesy of new contributor <a href="https://github.com/jnettesheim">jnettesheim</a>.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/dc3-plaso">DC3</a> contributed SQLite database schema matching in SQLite plugins, to highlight situations where an application's SQLite schema may have changed.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/B3n7s">B3n7s</a> added support for shield authentication in the ElasticSearch output module</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The EventData changed mentioned above made it possible to implement merged MACB output in the <a href="https://github.com/log2timeline/plaso/blob/master/plaso/output/l2t_csv.py">l2tcsv output module</a>. This reduces the noise from file timestamp updates significantly, and resolves a longstanding issue.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/log2timeline/plaso/blob/master/tools/psteal.py">Psteal.py</a> is a new Plaso frontend that simplifies the most common Plaso use case of processing an image, and producing a human-readable output. Essentially, psteal runs log2timeline, then psort immediately afterwards.</span></div>
</li>
</ul>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 16pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we broke this time</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In previous versions of Plaso, we’ve advised that new releases might not be backwards-compatible with storage files generated with older version of log2timeline. In a slight change, we can be quite categorical about Heimdall - it does not support old storage files at all. Expect this to continue in future releases as well, until the SQLite storage and dfkinds support have matured.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’ve noticed some inconsistency in the number of lnk and shell items events. We’re investigating this issue at present, and it seems to be an issue in one of Plaso’s dependencies. If you notice any discrepancies with these parsers, double check the error output (pinfo.py -v) to see if Plaso ran into any issues processing relevant files.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In one minor tweak, the -o alias for --offset disappears for log2timeline.py. You’ll have to add a few more characters to your command lines. We've also stopped providing a binary build for 32-bit versions of Windows, so if for some reason you need to run Plaso on a Pentium III, you'll have to build all the dependencies yourself.</span><br />
<br /></div>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 20pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we’re planning next</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Of course, time moves ever forward, and we have a bunch of changes in the pipeline:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’ve heard from a few folks that getting started in the code review process was a bit too intimidating, so we’re going to try out some changes - switching to GitHub’s code review process and adding more, github integrated, automated checkers.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A big overhaul of the storage subsystem is imminent, with much of the pre-work having been completed. A beta <a href="https://github.com/log2timeline/plaso/blob/master/plaso/storage/sqlite_file.py">SQLite based store</a> is already in the codebase. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Enhancing <a href="https://github.com/ForensicArtifacts/artifacts">Forensic Artifacts</a> integration. Our plan is to add an artifact based collection filter, to make targeted timeline generation speedier.</span></div>
</li>
</ul>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span><span style="font-family: "arial"; font-size: 20pt; white-space: pre-wrap;">Where/how to get Plaso Heimdall?</span><br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">See Plaso's</span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and if you run into problems take a look at the</span></a><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><a href="mailto:log2timeline-discuss@googlegroups.com" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">log2timeline-discuss@googlegroups.com</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One particular note - Plaso is now distributed as two separate .deb files for Ubuntu, and other other debian-like systems. Make sure to install the plaso-tools package as well as python-plaso.</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com1tag:blogger.com,1999:blog-6424586675749229382.post-5141781121431673432016-09-23T05:05:00.001-07:002016-09-23T05:05:43.269-07:00Plaso User Survey 2016<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">Happy weekend everyone! If you're looking to wind down from the work week, we have some great suggestions. </span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
First of all, you can check out this great Gná release logo, which unfortunately arrived a little after the packaged versions were ready:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><span style="margin-left: auto; margin-right: auto;"><a href="https://goo.gl/forms/CVuYNSeIZYRyo7HR2"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMvbNgjNO9jJsPBFSce4wHhZhi2dMJpk-0UfdfQQJFj3xcalZTYhGwQE8_90R71e3SyHuCYWwLKPMkDlpjiLrnyHMzFVRduBi0Cn5dwUMsL1ZiaEKa2J1UTgQ_1aTq6TFwvSJztUEK5rk/s320/onager.png" width="320" /></a></span></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Produced by <a href="https://www.fiverr.com/astarotte">astarotte</a></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
Secondly, right at the end of the Gná release announcement, we mentioned a <a href="https://goo.gl/forms/CVuYNSeIZYRyo7HR2">user survey</a>. In case you missed it, you should totally fill it out - it's a fun and fulfilling Friday activity. You can fill it out here: <a href="https://goo.gl/forms/CVuYNSeIZYRyo7HR2">https://goo.gl/forms/CVuYNSeIZYRyo7HR2</a></div>
<br />
As well as being a fun time, you'll also help make sure that Plaso develops in the most useful way for everyone,<br />
<h3 style="text-align: left;">
So far...</h3>
<div>
<br /></div>
<div>
Some slightly interesting interim numbers from the response so far:</div>
<div>
<ul style="text-align: left;">
<li>60% of respondents are running on Ubuntu Linux</li>
<li>Most respondents use non-internet connected (Airgapped) machines to run Plaso</li>
<li>Windows client machines are the most commonly analyzed systems</li>
<li><a href="http://forensicswiki.org/wiki/L2T_CSV">l2tcsv</a> is the most commonly used output module, not the default dynamic format</li>
</ul>
<div>
<br /></div>
</div>
<div>
We're going to run the survey until October 1, then crunch the numbers and share the results!</div>
<div>
<br /></div>
<div>
Happy <a href="https://goo.gl/forms/CVuYNSeIZYRyo7HR2">survey</a>-completing, and have a great weekend!</div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-43315773358318331142016-09-18T06:20:00.000-07:002016-09-18T06:20:20.703-07:00What flies there? What fares there? Or moves through the air? Plaso 1.5 - Gná released<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="line-height: 1.38; margin-bottom: 1pt; margin-left: 18pt; margin-top: 18pt; text-align: left;">
<dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">A <a href="https://en.wikipedia.org/wiki/Vanir">Vanir</a> asked:</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">"What flies there?</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">What fares there?</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">or moves through the air?"</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">Gná replied:</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">"I fly not</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">though I fare</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">and move through the air</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">on Hofvarpnir"</dd><dd style="background-color: white; color: #252525; font-family: sans-serif; font-size: 14px; font-weight: normal; margin-bottom: 0.1em; margin-left: 1.6em; margin-right: 0px;">[<a href="https://en.wikipedia.org/wiki/Prose_Edda">The Prose Edda</a>, Penguin Classics]</dd></h2>
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26.666666666666664px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Version 1.5 - Gná released</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Plaso development team is overjoyed to announce the release of Plaso 1.5, codenamed Gná. </span></div>
<b id="docs-internal-guid-fcd757d9-3cdb-33b5-d97e-9758f12b41f9" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As befitting a messenger goddess, Gná brings word of new additions to Plaso, as well as resolving some long-standing challenges to help drive the tool forwards. She rides a flying horse, Hófvarpnir, which while not as cool as a <a href="http://blog.kiddaland.net/2016/01/sprinkling-morning-dew-and-summer.html">chariot pulled by cats</a>, is still pretty nifty.</span></div>
<img height="281" src="https://lh4.googleusercontent.com/EGQd2PKEKcZKjv5ARXdnSTnLrbngZ3L2xT9ElX261zE1DnOQrZ6aELmUaiV4P9qr1Poi7ZUUbChU-7ZcHahyczQ-My5AEvcp2EiKJsGn2rH5mChjKLVqOVFosRb4WEFA_ZNo9GQt" style="border: none; font-family: arial; font-size: 21.3333px; transform: rotate(0rad); white-space: pre-wrap;" width="499" /><br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Source: </span><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; font-style: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="http://nenethomas.com/" style="text-decoration: none;">http://nenethomas.com/</a>]</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As with previous releases, Plaso Gná is packed with new features, changes to the core and improved stability and reliability. Now for the juicy details!</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What has changed since Plaso 1.4, Freya?</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Gná brings with a bunch of under-the-hood changes. The biggest of these is a change to </span><a href="https://github.com/log2timeline/l2tdocs/blob/master/design/Design%20proposal%20-%20phased%20processing.asciidoc" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">task-oriented processing</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. This change lets Plaso use much less memory during processing, and avoids a lot of potential pitfalls with concurrency and reliability. These changes should be pretty transparent to most users of Plaso.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As </span><a href="http://blog.kiddaland.net/2016/01/sprinkling-morning-dew-and-summer.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">foreshadowed </span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">in the Freyja release, ZeroMQ is now the default queue implementation used by Plaso. Again, this change should be mostly invisible to most users, but sets us up for scaling Plaso beyond one machine.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The </span><a href="https://github.com/log2timeline/plaso/blob/master/plaso/output/elastic.py" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">ElasticSearch output plugin</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> has received some attention from <a href="https://github.com/berggren">@berggren</a>, with improved reliability and support for raw field output. Gná will be a bit nicer for those using </span><a href="http://diftdisk.blogspot.ch/2016/06/viewing-log2timeline-output-with-kibana.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Kibana and ElasticSearch to investigate timelines</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One final under-the-hood changes is adding some initial support for </span><a href="https://github.com/google/dotty" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Efilter</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Efilter is a flexible query and filter engine which supports transforming queries between languages which opens up some interesting possibilities for making querying Plaso stores faster. Thanks to </span><a href="https://github.com/the80srobot" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">@the80srobot</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> for help getting this integration to happen.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New features</span></h2>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">New parsers and plugins</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Thanks to new contributor </span><a href="https://github.com/MacleodKen" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">@MacleodKen</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, Gná has parsers for Kik and iMessage databases from iOS devices (and MacOS, in the case of iMessage).</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso now also parses Twitter iOS databases, thanks to new contributor </span><a href="https://github.com/aguilajesus" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">@aguilajesus</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.6667px; font-style: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/rgayon" style="text-decoration: none;">@rgayon</a> </span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">has added a parser for Docker log and config files, bringing Plaso into the exciting new world of containerization and “the cloud”. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso Gná now parses events from Zsh history files, to help reconstruct user activity.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://github.com/dc3-plaso">DC3</a> have added several Windows Registry plugins, creating more useful events for networks, network drives and the </span><a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/winreg_plugins/winlogon.py" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Winlogon</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> key.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We also have <a href="https://github.com/dc3-plaso">DC3</a> to thank for the KML output plugin, to enable visualizing Plaso events that have a location component.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The RecycleBin parser has been updated to support different format used by Windows 10.</span></div>
</li>
</ul>
</ul>
<ul style="margin-bottom: 0pt; margin-top: 0pt;"><ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At long last, you can now add NSRL data to your Plaso timeline, to help filter out irrelevant events. The the nsrlsvr analysis plugin will tag events in a timeline by querying an </span><a href="https://rjhansen.github.io/nsrlsvr/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">nsrlsvr</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance. </span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Yara</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso now supports matching file content with <a href="http://virustotal.github.io/yara/">Yara</a> rules. Point --yara-rules-path to a file of yara rules when you run log2timeline, and Plaso will set the attribute yara_match on events from any files that match the rules.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SQLite WAL parsing</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Courtesy of <a href="https://github.com/dc3-plaso">DC3</a>, Plaso’s SQLite parser (and thus, all the SQLite plugins) now support reading SQLite Write-Ahead-Log files, resulting in more events being retrieved from SQLite databases.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Syslog</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/syslog.py">Syslog</a> and <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/selinux.py">SELinux</a> parsers have been completely rewritten to improve speed, and expand coverage to different syslog formats.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Syslog parser now supports plugins, enabling more meaningful processing of events from applications that log via syslog. At present, there’s plugins for logs generated by <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/syslog_plugins/ssh.py">ssh</a> and <a href="https://github.com/log2timeline/plaso/blob/master/plaso/parsers/syslog_plugins/cron.py">cron</a>. If there are other apps that log to syslog that you’d like to see Plaso process, please create an issue, or send in some code!</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Psort</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Psort has been migrated to the same task-oriented processing model that log2timeline uses, which allows for more intuitive behaviour. It’s no longer necessary to run psort once to tag a storage file, and again to get the tags in the output. Running psort with analysis plugin will now include the results in any output.</span></div>
</li>
</ul>
</ul>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we broke this time</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In previous versions of Plaso, we’ve advised that new releases might not be backwards-compatible with storage files generated with older version of log2timeline.py In a slight change, we can be quite categorical about Gná - it does not support old storage files at all. Expect this to continue in future releases as well.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Some of the core changes we’ve made have necessitated some user-visible changes. One you’ll run into very early on is that psort now doesn’t output to standard output by default. Use the -w option to output to a file instead. So if you're used to:</span><br />
<span style="background-color: transparent; color: black; font-family: "courier new" , "courier" , monospace; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">psort.py storage.plaso > output.txt</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> you'll have to do </span><span style="background-color: transparent; color: black; font-family: "courier new" , "courier" , monospace; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">psort.py -w output.txt storage.plaso</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instead.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Due to the task processing refactor mentioned above, log2timeline will use a bit more disk space during processing than previously. If this causes you problems, try out the new --temporary_directory flag. Point it to faster storage (SSD, RAMDisk) to improve processing speed, or a volume with more capacity if you’re running out of space.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we’re planning next</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Gna brings a lot of changes, but we have even more in store for the future. In the next Plaso release, we plan to have some more core changes to the way Plaso internally stores event information. This change will enable a more substantial change to how Plaso stores all its results, to dramatically improve performance and expressiveness.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The other big change will be greatly improved support for </span><a href="https://github.com/ForensicArtifacts/artifacts" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">forensic artifacts</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, again improving expressiveness, while also improving what Plaso can report about the data it’s analyzing.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Where to get Plaso 1.5?</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">See Plaso's</span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and if you run into problems take a look at the</span></a><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration: none;"><span style="background-color: white; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: white; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: </span><a href="mailto:log2timeline-discuss@googlegroups.com" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">log2timeline-discuss@googlegroups.com</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For those investigators Plaso on non-internet connected systems, we’ve added a guide for running Plaso from a Docker container, which is a handy way to bundle up all of Plaso’s requirements in a single place. Check out the instructions here: </span><a href="https://github.com/log2timeline/plaso/wiki/Installing-with-docker" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://github.com/log2timeline/plaso/wiki/Installing-with-docker</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One more thing</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">While we hear or read a lot of anecdotes about how people use Plaso (often when it's misbehaving), we’d really like to get a better idea of the features people use, to work out where we should focus our development efforts. To that end, we’ve made a </span><a href="https://goo.gl/forms/3KZCBMlGnUgBnX0D2" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">survey </span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">to help us work this out. If you could fill it out, it’d be a great boon for the whole project. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">Be mindful before raising issues and asking questions and read the </span><a href="https://github.com/log2timeline/plaso/wiki/Troubleshooting" style="text-decoration: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">troubleshooting documentation</span></a><span style="color: black; font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">. Your question may be very well be answered there.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That’s all for now, happy investigating!</span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com2tag:blogger.com,1999:blog-6424586675749229382.post-80155937965991293782016-01-23T03:19:00.003-08:002016-01-23T04:17:33.162-08:00Sprinkling morning dew and summer sunlight - Plaso 1.4 Freya released!<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 34.666666666666664px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Sprinkling morning dew and summer sunlight</span></div>
<b id="docs-internal-guid-499da010-6dff-15cb-680f-a546e1a7ebe5" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">“Freyja flew over the earth, sprinkling morning dew and summer sunlight behind her. She shook spring flowers from her golden hair and wept tears which turned to gold or to amber at sea.” [<a href="http://www.valkyrietower.com/freyja.html">http://www.valkyrietower.com/freyja.html</a>]</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h1 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 20pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 26.666666666666664px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Version 1.4 - Freyja released</span></h1>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Plaso development team is excited to announce the release of Plaso 1.4, codenamed </span><a href="https://simple.wikipedia.org/wiki/Freyja" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Freyja</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Appropriately, Freyja is the deity associated with fertility, love, war and prophecy - most auspicious for a new release, and a new year! </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">She also rides in a chariot pulled by cats, which is pretty nifty.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="freya__s_nyan_cat_drawn_carriage_by_daggerravionfall-d4hjku1.jpg" height="269" src="https://lh3.googleusercontent.com/t9tecIhGj5tyyX7-fvKfThK4JtsTTqZ8gVnMzaeNsFva4L283jiHl8OSBUZkhHWAGfvh_sDFW-o8yuqkuakZko-9i8Ae9RoSZ0YAMpG7Qx_7Hv5LpPXDpFmJgbEt6JzePtJvMAi7" style="border: none; transform: rotate(0rad);" width="602" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[Source: <a href="http://daggerravionfall.deviantart.com/art/Freya-s-Nyan-cat-drawn-carriage-271331641">http://daggerravionfall.deviantart.com/art/Freya-s-Nyan-cat-drawn-carriage-271331641</a>]</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As with previous releases, Plaso Freyja is packed with new features, changes to the core and improved stability and reliability. Now for the juicy details!</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What's changed since <a href="http://blog.kiddaland.net/2015/07/bringing-end-to-sorrow-new-plaso-release.html">Plaso 1.3, Eir</a></span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 21.3333px; line-height: 1.38; white-space: pre-wrap;">New features</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Parsers for $MFT and the NTFS USN change journal</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso now integrates with </span><a href="https://github.com/libyal/libfsntfs" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">libfsntfs</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, which enables direct extraction of NTFS metadata. In Freyja, Plaso includes $MFT and USN change journal parsers. We’ll add more NTFS metadata handling in future versions, so stay tuned.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Docker file</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A docker file, for creating Plaso docker containers, was added in Freyja by new contributor </span><a href="https://github.com/rgayon" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">rgayon</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. We’ve been experimenting with containerizing Plaso, and it looks like there’s some interesting potential here. Look for more changes and guides here soon, and integration with </span><a href="https://github.com/google/turbinia" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Turbinia</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ZeroMQ</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Plaso now integrates ZeroMQ for transferring data between the extraction and storage processes. This functionality is still experimental in Freyja, but we’re planning to make ZeroMQ the default for future Plaso releases.</span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">File content hashing is now on by default</span></div>
</li>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: circle; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As detailed in a <a href="http://blog.kiddaland.net/2015/08/new-features-in-plaso-13-hashing.html">previous blog</a>, hashing is now enabled by default. </span></div>
</li>
</ul>
<li dir="ltr" style="background-color: transparent; color: black; font-size: 14.6667px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-499da010-6e08-1f59-e80e-436421d7fd05"><span style="font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: "arial";">Keeping track of exactly what Plaso’s doing at any given moment is pretty difficult with the scrolling (linear) view of status information. To try make this bit easier, the Window status view now on by default for non-Windows OS’. log2timeline will now look like this:</span></span></span></div>
<div class="separator" style="clear: both; font-family: Arial; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixk0W2ytR2O9SfX7EymBvXtupUgWJkeiqPK3SNTCPP-M7CB_-zi4Yb9TX-eWf75Oxnx_o6ibI89nCgJtZPK8h8c3INcUVwcZTnAOHbl1LYHKuWZAjZFgNtgmIxx7LqQdWTwrlkJR_f_B8/s1600/window+view.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixk0W2ytR2O9SfX7EymBvXtupUgWJkeiqPK3SNTCPP-M7CB_-zi4Yb9TX-eWf75Oxnx_o6ibI89nCgJtZPK8h8c3INcUVwcZTnAOHbl1LYHKuWZAjZFgNtgmIxx7LqQdWTwrlkJR_f_B8/s640/window+view.PNG" width="640" /></a></div>
<span style="font-family: "arial";">and not this:</span><div class="separator" style="clear: both; font-family: Arial; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJpZyvZ1u7z-XxtZUSROqraCGWOL3a4SqdHF4Izz8eRZVJEhC_HmKxIr9njaTTWoQn4jI-Ft9AyKsg8Xc4EgprrdboKwwOrlcev_5G46Z7LFIR4npqJOVXyvFSKISUvorpASwdUR2Y7M4/s1600/linear+view.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJpZyvZ1u7z-XxtZUSROqraCGWOL3a4SqdHF4Izz8eRZVJEhC_HmKxIr9njaTTWoQn4jI-Ft9AyKsg8Xc4EgprrdboKwwOrlcev_5G46Z7LFIR4npqJOVXyvFSKISUvorpASwdUR2Y7M4/s640/linear+view.PNG" width="640" /></a></div>
<span style="font-family: "arial";"> If you prefer the old behavior, just run log2timeline with </span><span style="font-family: "courier new" , "courier" , monospace;">--status_view linear</span><span style="font-family: "arial";">, and your terminal will quickly fill with happy scrolling messages.</span></li>
</ul>
<ul style="margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A new parser for client-local SCCM logs, courtesy of </span><a href="https://github.com/8u1a" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">8u1a</span></a></div>
</li>
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A new Windows Registry plugin to handle the </span><a href="https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Windows Explorer ProgramsCache</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> key, which records program execution data</span></div>
</li>
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">An XSLX output module, for writing events directly to a file readable with Microsoft Excel, thanks to </span><a href="https://github.com/dc3-plaso" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">DC3</span></a></div>
</li>
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="http://forensicswiki.org/wiki/LNK#Metadata">Distributed link tracking</a> support in the winlnk parser</span></div>
</li>
<li style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 14.6667px; vertical-align: baseline;">The Windows Registry handling functionality has been moved to a separate submodule and will continue as </span><a href="https://github.com/log2timeline/dfwinreg" style="font-family: 'Times New Roman'; font-size: medium; line-height: 22.08px; text-decoration: none; white-space: normal;"><span style="color: #1155cc; font-family: "arial"; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">a stand-alone Python module</span></a><span style="font-size: 14.6667px; vertical-align: baseline;"> after Freyja. This should make it easier to create one off scripts that need to access the Windows Registry (for example, the scripts in </span><a href="https://github.com/libyal/winreg-kb" style="font-family: 'Times New Roman'; font-size: medium; line-height: 22.08px; text-decoration: none; white-space: normal;"><span style="color: #1155cc; font-family: "arial"; font-size: 14.6667px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">winreg-kb</span></a><span style="font-size: 14.6667px; vertical-align: baseline;">). </span></span></div>
</li>
</ul>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we broke this time</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Freyja release may not be compatible with storage files produced by previous versions. We recommend re-processing your original source data with Freyja, to take advantage of the new features and bug fixes.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The PCAP parser has been disabled. Unfortunately, the parser was causing excessive memory issues due to its current design. Our plan is to deprecate it and remove it permanently in 1.5 unless people are very passionate about having this functionality. Let us know on </span><a href="https://github.com/log2timeline/plaso/issues/386" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">this issue</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and we always </span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;">welcome </span><a href="https://github.com/log2timeline/plaso/wiki/Developers-Guide" style="font-family: arial; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;">contributions</a><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;">.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; vertical-align: baseline; white-space: pre-wrap;">The parser class hierarchy has changed a little to align with the new data stream (NTFS ADS and HFS forks) support. As a consequence, any</span><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;"> parsers in active development need to change a little. If you're working on something, please reach out to the developers mailing list (</span><a href="mailto:log2timeline-dev@googlegroups.com" style="font-family: Arial; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;">log2timeline-dev@googlegroups.com</a><span style="font-family: "arial"; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;">) and we can help you make the necessary changes. </span></div>
<div>
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you’ve been using your own custom tag files, you’ll have to change them slightly. To make things easier for frontends like <a href="http://www.timesketch.org/">Timesketch</a>, all tags are now strings of alphanumeric characters, and the underscore character. This means, for example, that the tag is now “application_execution” and not “Application Execution”. </span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What we’re planning next</span></h2>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Implementing </span><a href="https://github.com/log2timeline/plaso/issues/338" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">phased processing</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, to address the remaining multiprocessing and queuing issues and to help scale Plaso to multiple machines.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<a href="https://plusvic.github.io/yara/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">YARA</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> integration for flagging files that match signatures.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Continuing the integration of </span><a href="https://github.com/ForensicArtifacts/artifacts" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">artifacts</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> for preprocessing and presets, which did not make it this release but is getting closer.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As always, more parsers, parser plugins, and analysis plugins.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Improved multi volume support (first up, <a href="https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)">LVM </a>and <a href="https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup">LUKS</a>), didn’t quite make this release but dfVFS LVM support is very close now.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Changes to our </span><a href="https://github.com/log2timeline/plaso/wiki/Codereview#how-it-works---github" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">development workflow</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, switching to python helper scripts, to support those of you who wish to develop on Windows.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Migrating to a more powerful filtering language, </span><a href="https://github.com/google/dotty" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">efilter</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (aka dotty). </span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Where to get Plaso 1.4?</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">See Plaso's </span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Users' Guide</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="https://github.com/log2timeline/plaso/wiki/Users-Guide" style="text-decoration: none;"><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and if you run into problems take a look at the </span></a><a href="https://github.com/log2timeline/plaso/wiki/Installation-Problems" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Installation Problems</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> page on the Plaso wiki, to see if other people have seen the issue before. If nothing there helps, ask for help on the discuss mailing list: <a href="mailto:log2timeline-discuss@googlegroups.com">log2timeline-discuss@googlegroups.com</a>.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 21.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Closing notes by Kristinn, Mr. Super Timeline, Guðjónsson</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Most new beginnings are accompanied with an end, and this is certainly one of those. The change that I wanted to talk about today is an organizational one within the Plaso project. I’ve been driving the log2timeline project for around 7 years now, since its birth, back in 2009. I’ve seen this project go from just being myself playing with some Perl scripts to it becoming a widely used tool within the community and then again after joining Google its rebirth with Plaso. This also allowed me to team up with other people like Daniel White and Joachim Metz and make Plaso what it currently is.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">However things have changed since then and with my current responsibilities I cannot devote as much time into the project as I used to (you may have noticed significantly fewer CLs from me lately). I also really want to give others opportunity to shine and have therefore decided to to step down as the main goto person for log2timeline. I’m happy to announce that Daniel White has gracefully accepted the challenge to lead the project from now on. I’ll still be involved with the project, but mostly in the background, helping in deciding its direction. I’m very excited about this and I’m certain that Plaso is in good hands with Daniel and others.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I think the future is bright for Plaso, I’m super excited about the immediate future which will bring integration of artifacts, changes in how we process data that will allow scaling up so that Plaso can be run in parallel on multiple machines. More emphasis on automated analysis and SO MUCH more. Once those pieces are in place we can start better integrating the tool into other places, such as </span><a href="http://www.timesketch.org/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Timesketch</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://github.com/google/turbinia" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Turbinia</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to name few. There is still plenty of work to be done, that’s for sure.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As a closing note I would like to personally thank anyone that have provided me with advice, feedback, samples, code changes for both the Perl and Python versions of log2timeline… and I hope that people will continue to do so in the future. And who knows, maybe you’ll see a CL from me when time permits… and of course I’ll have to maintain the Plaso tradition of educating the world with more Icelandic sentences here and there:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<a href="https://en.wikiquote.org/wiki/Icelandic_proverbs" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">ber er hver að baki nema bróður sér eigi</span></a><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, þ.e.a.s. það er gott að vita af því að maður hafi fundið einhvern sem er tilbúinn að hlaupa undir bagga með sér og aðstoða þegar tímarnir breytast</span></div>
<br /></div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-22655759043714322392015-12-23T06:34:00.000-08:002015-12-23T06:34:37.565-08:00Timesketch 2015.12<span style="font-family: Arial, Helvetica, sans-serif;"><i><br /></i>
</span><br />
<div>
<i><span style="font-family: Arial, Helvetica, sans-serif;">Timesketch is an open source tool for collaborative timeline analysis intended for digital forensics and incident response. Using sketches multiple collaborators can easily organize and concurrently analyze timelines. It supports adding rich annotations, comments and stars to add meaning to the raw data.</span></i></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">We are happy to announce a new version of Timesketch (2015.12 codename About Time). Apart from bug fixes this version is packed with new features that will make your analysis more efficient and fun!</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ7BkXufNTYqrWpGrDpcM9OE_aBqaZH1bPPWiweKRb4l8Av4B5aAZS-8ttYM3cJSInmIKrKr3CcpbilW6fm1_3vKXkPrfryqYnwnAyMGEx4spOnoVTGSHGg58ukOdlx71cDNqoVK4Wp6c/s1600/Overview2.png" imageanchor="1"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="417" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ7BkXufNTYqrWpGrDpcM9OE_aBqaZH1bPPWiweKRb4l8Av4B5aAZS-8ttYM3cJSInmIKrKr3CcpbilW6fm1_3vKXkPrfryqYnwnAyMGEx4spOnoVTGSHGg58ukOdlx71cDNqoVK4Wp6c/s640/Overview2.png" width="640" /></span></a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">
Fewer distractions in the UI</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">The navigation sidebar is now gone to give more space for things that matter, e.g. the event list and the new charts. Navigation has been transformed into a tab list on the top of the page making it easy to move around in your sketches. The lists of sketches, timelines and saved views also have more information available.</span><br />
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">
Charts and aggregations</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">To help you get more insight into your timelines it is valuable to be able to aggregate the search results and visualize the data. Timesketch aggregations does this for you and is perfect for exploratory analysis. Initially there are three aggregations available, data_type, histogram and heatmap.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">The data_type aggregation uses the data_type attribute from Plaso, giving you a really quick way to filter out events of a certain type.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQ1xjC5DY-0u-z4oBQ8MUqahfZasqzp1YxIDadNSjwUUSAGBf1c5I81ihJZhIey2VawzRtQIFrwUQhsLIyxlsIC10zY8zCX3aDqt7qGPNa8auGq4CAjKfhlOO63hVt96JJVSdRGxtGZs/s1600/data_type2.png" imageanchor="1"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUQ1xjC5DY-0u-z4oBQ8MUqahfZasqzp1YxIDadNSjwUUSAGBf1c5I81ihJZhIey2VawzRtQIFrwUQhsLIyxlsIC10zY8zCX3aDqt7qGPNa8auGq4CAjKfhlOO63hVt96JJVSdRGxtGZs/s640/data_type2.png" width="640" /></span></a><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<div class="graf--p" name="af6b">
<span style="font-family: Arial, Helvetica, sans-serif;">The heatmap aggregation calculates on which day of the week and at which hour events happened. This can be very useful e.g. when analyzing lateral movement or login events.</span></div>
<div class="graf--p" name="af6b">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="graf--p" name="af6b">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgteMiI6DK7VlqtXXh1Oo8Aacj8Zvr8IJsXGTatzpbzRTPc7XwJNqUeZkbPj9ihstPiNvxByz_Ags8ghSbm09OzGXr8OQJy9R4-IZnH51rlmkI9lmtHLXpkgWOkwPWOwm_Xpnfav8MjpU/s1600/Heatmap2.png" imageanchor="1"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgteMiI6DK7VlqtXXh1Oo8Aacj8Zvr8IJsXGTatzpbzRTPc7XwJNqUeZkbPj9ihstPiNvxByz_Ags8ghSbm09OzGXr8OQJy9R4-IZnH51rlmkI9lmtHLXpkgWOkwPWOwm_Xpnfav8MjpU/s640/Heatmap2.png" width="640" /></span></a></div>
<div class="graf--p" name="af6b">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="graf--p" name="0a98">
<span style="font-family: Arial, Helvetica, sans-serif;">There is also a classic histogram aggregation that shows you the number of events per day in the result.</span></div>
<div class="graf--p" name="0a98">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="graf--p" name="0a98">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAhmSUI8IEWHrpp0WpN2ddFJa41Kou3tcOuF2cpwSsOYvkSQmCJE7AUli_xv9-DHSMZTF4u4MxLnNA2kik3vnNSYe86uk1YcTKAaOlhd_vfo5CySP8n0Yp0f3kv1Gbso19s9L5WxM0-mw/s1600/Histogram2.png" imageanchor="1"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAhmSUI8IEWHrpp0WpN2ddFJa41Kou3tcOuF2cpwSsOYvkSQmCJE7AUli_xv9-DHSMZTF4u4MxLnNA2kik3vnNSYe86uk1YcTKAaOlhd_vfo5CySP8n0Yp0f3kv1Gbso19s9L5WxM0-mw/s640/Histogram2.png" width="640" /></span></a></div>
<div class="graf--p" name="0a98">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">
Hiding events from view</span></h3>
<div class="graf--p" name="684a">
<span style="font-family: Arial, Helvetica, sans-serif;">This has been a popular request and is all about reducing noise in your result views. You can now hit the little eye to hide events from the list making it possible to curate your views to emphasize the important things. But don’t worry, the events are still there and can be easily shown for those who want to see them. Just hit the big red button to show/hide the events.</span></div>
<div class="graf--p" name="684a">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="graf--p" name="684a">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYC8lfjELYonKu5rpUdpTWz5JLYv3yhyphenhyphenn2W3wbF3KAWyA2cp6VXj4PgPQ0wB4LLu_WFz1ZlQl4p5O4rCaiecmRJIYdo-GZUxn6-MDVyFOyjOfzdmuZ63RSO7MiqnsOMFYcsETyQinAj80/s1600/Hidden.png" imageanchor="1"><span style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYC8lfjELYonKu5rpUdpTWz5JLYv3yhyphenhyphenn2W3wbF3KAWyA2cp6VXj4PgPQ0wB4LLu_WFz1ZlQl4p5O4rCaiecmRJIYdo-GZUxn6-MDVyFOyjOfzdmuZ63RSO7MiqnsOMFYcsETyQinAj80/s640/Hidden.png" width="640" /></span></a></div>
<div class="graf--p" name="684a">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">
Basic search and filtering with URL parameters</span></h3>
<div class="graf--p" name="4556">
<span style="font-family: Arial, Helvetica, sans-serif;">Another popular request is to be able to link to a sketch with query and filter as request parameters. This is now possible and initially you can do basic filtering and queries. This is great if you want to dynamically create links to sketches from other applications without creating saved searches first.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<pre class="graf--pre" name="9dc0">/sketch/1/explore/?q=ssh&time_start=2015–01–01&time_end=2015–12–13</pre>
<pre class="graf--pre" name="9dc0">
</pre>
</div>
<div class="graf--p" name="4556">
<h3>
Visualize time jumps</h3>
<span style="font-family: Arial, Helvetica, sans-serif;">A common issue when analyzing timelines is to be able to visually see when there are jumps in time, i.e. the distance between two events are bigger than a certain time e.g. 1 day. This is now shown in Timesketch with what we call “time bubbles”. You will never find yourself getting distracted by time jumps in your timelines again!<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyNAVN6f1TiwdqQzirtZ5rZswczWDxfphfDdYxn7bo5VfY-j7Phlubeqq4D0ONdfYCWo1IhJfAUIWGf8n4v3g9tcmtZI22aqYIjCEG2VTXCDQ7lA5eM_O1RpDUzNvwbCBHOgCluliS4w/s1600/bubble.png" imageanchor="1"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyNAVN6f1TiwdqQzirtZ5rZswczWDxfphfDdYxn7bo5VfY-j7Phlubeqq4D0ONdfYCWo1IhJfAUIWGf8n4v3g9tcmtZI22aqYIjCEG2VTXCDQ7lA5eM_O1RpDUzNvwbCBHOgCluliS4w/s640/bubble.png" width="640" /></a></span></div>
<div class="graf--p" name="4556">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
</div>
<div class="graf--p" name="4556">
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Plaso tags as UI labels</span></h3>
<div class="graf--p" name="6587">
<span style="font-family: Arial, Helvetica, sans-serif;">Plaso has the ability to tag events during processing. These tags are now shown in the Timesketch UI as labels in the output. This makes it super fast to spot interesting events tagged by Plaso’s powerful analysis plugin system.</span></div>
<div class="graf--p" name="6587">
<br /></div>
<div class="graf--p" name="6587">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeolj6Q166KyB1J9LGT4nG05dpLSPJkRPIPNVL1Dd2XQOn-c1g4m7m_OA37YLzFLbcSwDlnrGlRV77hyxDtVWrPvaP5dyDav5N6G-HKRxaCaLeK7p0r-Lw8Z5LJ3IQgq6rtE-LRyIt4Q/s1600/tags.png" imageanchor="1"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIeolj6Q166KyB1J9LGT4nG05dpLSPJkRPIPNVL1Dd2XQOn-c1g4m7m_OA37YLzFLbcSwDlnrGlRV77hyxDtVWrPvaP5dyDav5N6G-HKRxaCaLeK7p0r-Lw8Z5LJ3IQgq6rtE-LRyIt4Q/s640/tags.png" width="640" /></a></div>
<div class="graf--p" name="6587">
<br /></div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;">CSV importer</span></h3>
<div class="graf--p" name="6bb3">
<span style="font-family: Arial, Helvetica, sans-serif;">The control program for Timesketch, tsctl, can now ingest timelines in CSV format. This is much more efficient for large timelines compared to the JSON ingestion previously available. Adding timelines from sources other than Plaso is now much easier.</span></div>
<div class="graf--p" name="6bb3">
<br /></div>
<pre class="graf--pre" name="4cb2">$ tsctl csv2ts — file timeline.csv — name my_timeline</pre>
<pre class="graf--pre" name="4cb2">
</pre>
<pre class="graf--pre" name="4cb2"><h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Other features added in this release</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;"><ul>
<li>Deleting a saved view can now be done by the sketch owner.</li>
<li>Export the result of your queries and filters into a CSV file.</li>
<li>You can now update a user’s password via tsctl.</li>
<li>The <a href="https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface">WSGI</a> program has moved into the Timesketch package making it easier to serve Timesketch with a web server.</li>
<li>Newlines and formatting are preserved in event info and comments.</li>
</ul>
</span><h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Give it a spin over at the demo site</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">We have a demo installation of Timesketch up and running.</span></pre>
<pre class="graf--pre" name="4cb2"><span style="font-family: Arial, Helvetica, sans-serif;">You can reach it at <a href="https://demo.timesketch.org/">https://demo.timesketch.org/</a> and login with demo/demo.
To get you started here are some saved searches showing off the features mentioned in this post:
<ul>
<li><a href="https://demo.timesketch.org/sketch/34/explore/view/45/">Plaso tags in action</a></li>
<li><a href="https://demo.timesketch.org/sketch/34/explore/view/47/">Time bubbles for the win!</a></li>
<li><a href="https://demo.timesketch.org/sketch/34/explore/view/49/">Hidden events</a></li>
</ul>
</span><h4>
<span style="font-family: Arial, Helvetica, sans-serif;">How do I install or upgrade to the new release?</span></h4>
</pre>
<pre class="graf--pre" name="4cb2"><span style="font-family: Arial, Helvetica, sans-serif;">If you already have Timesketch installed and working you just do:
$ sudo pip install timesketch --upgrade
If you need to install Timesketch from scratch check out the <a href="https://github.com/google/timesketch/wiki/Installation">installation instructions</a> on the
Timesketch wiki.</span><h3>
<span style="font-family: Arial, Helvetica, sans-serif;">Sneak preview next release</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;">The next release (2016.6, codenamed <a href="https://en.wikipedia.org/wiki/Kung_Fury">Kung Fury</a>) is planned to be released this coming summer. To follow along with which features are planned and what issues are being worked on please see the <a href="https://github.com/google/timesketch/milestones/2016.6">2016.6 milestone page</a>.</span><h4>
<span style="font-family: Arial, Helvetica, sans-serif;">To give you a preview of what is coming in the summer of 2016</span></h4>
<span style="font-family: Arial, Helvetica, sans-serif;">Better ACL controls in the UI. This will make it possible to have private sketches with </span></pre>
<pre class="graf--pre" name="4cb2"><span style="font-family: Arial, Helvetica, sans-serif;">specific users as collaborators.
</span></pre>
<pre class="graf--pre" name="4cb2"><span style="font-family: Arial, Helvetica, sans-serif;">Better time filters that will make it more intuitive to filter on time ranges etc. Date pickers and multiple time ranges is what we are thinking about.
Last but not least, initial experimental implementation of Timesketch Stories! A new way to work with forensic timelines which will make it possible to blend narrative and raw data.
Stay tuned!
— The Timesketch team</span></pre>
</div>
Johanhttp://www.blogger.com/profile/00180100096562632798noreply@blogger.com0tag:blogger.com,1999:blog-6424586675749229382.post-51592414180782263342015-08-20T03:12:00.000-07:002015-08-28T01:00:07.471-07:00New features in Plaso 1.3: Hashing<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 17.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Introduction</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One of the features that we’ve added to Plaso in the 1.3 release is initial support for calculating file hashes. While there’s a lot more work to do to fully utilize the potential of file hashing, there are already some useful things you can do to make your forensic analysis more comprehensive or speedy.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 17.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What does it look like?</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here’s how you run log2timeline with hashing turned on:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">➜ ~ log2timeline.py </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>--status_view window</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>--hashers all</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> /tmp/hashing.plaso /tmp/test_directory</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Data files will be loaded from /usr/share/plaso by default.</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b id="docs-internal-guid-77074160-4a6a-7466-aa9e-54b4a6cc4899" style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Source path</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: /tmp/test_directory</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Source type</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: directory</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Processing started.</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">plaso - log2timeline version 1.3.0</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Source path</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: /tmp/test_directory</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Source type</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: directory</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Identifier</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PID</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Status</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Events</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">File</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Collector</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">22026</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">completed</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Worker_00</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">22024</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sleeping</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">10 (0)</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_pe.exe</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Worker_01</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">22025</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sleeping</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">4 (0)</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/pivy.exe</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">StorageWriter</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">22023</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sleeping</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">14 (0)</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b style="font-weight: normal;"><br /></b></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">All extraction workers completed - waiting for storage.</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Processing completed.</span></div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Easy! Just add </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">--hashers all</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, or if you only want some hashers (currently, we have SHA256, SHA1 and MD5), you can pass the names instead. I've also usedthe ‘window’ status view option here, which is new in version 1.3, and is especially handy for long Plaso runs.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once the hashes have been generated and stored in the storage file, you can use some analysis plugins to enrich or distill your data.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here’s a plugin to get a list of the unique files (with hashes) from the source:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">➜ ~ psort.py </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>--analysis file_hashes</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>--output-format null</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> /tmp/hashing.plaso </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Data files will be loaded from /usr/share/plaso by default.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Starting analysis plugins.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Plugin: [file_hashes] started.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Output processing is done.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Processing data from analysis plugins.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Waiting for analysis plugin: file_hashes to complete.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Plugin file_hashes has completed.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] All analysis plugins are now completed.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Report generated from: file_hashes</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Generated on: 2015-08-20T08:53:40+00:00</span></div>
<b id="docs-internal-guid-77074160-4a6b-7b10-c240-f8b6c3d7a44e" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Report text:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Listing file paths and hashes</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/pivy.exe: md5_hash=4a7e0c6f7bf030bfc7382c7ad482b216 sha1_hash=ad11393854e6761d094213f910cd28404f03e850 sha256_hash=66696b7a51d1d7f71b17c170acef1f08e8ca7f5e73f6a2a4b37aa1b7f175c42c</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_driver.sys: md5_hash=a714a36e71e26c7011240e22cfd9c8ae sha1_hash=f01f95c90922998c963c765dd194f4976fdaa27c sha256_hash=891141f8e30708831e6cf3d482d8491b3b3fd3971b509b1ca6005c3d25833bbf</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_pe.exe: md5_hash=ab2e0a9184d2718995d3f41c70df7027 sha1_hash=46f83aab7d6e527b212cce2ba558901ffa96f4a4 sha256_hash=e2fef8c075ae07cf0370165accadfd8765db3797f0c523742c914f397e191d09</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/usr/lib/python2.7/dist-packages/plaso/lib/storage.py:866: UserWarning: Duplicate name: u'information.dump'</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> self._zipfile.writestr(stream_name, stream_data)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*********************************** Counter ************************************</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Stored Events : 28</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Events Included : 28</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Duplicate Removals : 16</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Total Reports : 1</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Report: file_hashes : 1</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Note the use of the ‘null’ output plugin to suppress event output, as we’re not interested in the events themselves at this point. Also, don't mind the warning here, it's just due to an update of the storage file to store the report. We're working on suppressing this message.</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now let’s have a look at something a little more interesting. Also new in 1.3 is an analysis plugin that checks the hashes of all Windows executable files (well, all PE files) in VirusTotal:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">➜ ~ psort.py </span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>--analysis virustotal --virustotal-api-key <redacted></b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> --output-format null /tmp/hashing.plaso </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Data files will be loaded from /usr/share/plaso by default.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Starting analysis plugins.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Plugin: [virustotal] started.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Starting new HTTPS connection (1): www.virustotal.com</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Output processing is done.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Processing data from analysis plugins.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[WARNING] virustotal may take a long time to run. It will not be automatically terminated.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Waiting for analysis plugin: virustotal to complete.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Plugin virustotal has completed.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] All analysis plugins are now completed.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Report generated from: virustotal</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Generated on: 2015-08-20T08:54:29+00:00</span></div>
<b id="docs-internal-guid-77074160-4a6b-ff3b-99dc-514b779a8eab" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Report text:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">virustotal hash tagging Results</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/pivy.exe: VirusTotal Detections 37</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/pivy.exe: VirusTotal Detections 37</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_driver.sys: Unknown to VirusTotal</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_driver.sys: Unknown to VirusTotal</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_pe.exe: Unknown to VirusTotal</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS:/tmp/test_directory/test_pe.exe: Unknown to VirusTotal</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">/usr/lib/python2.7/dist-packages/plaso/lib/storage.py:866: UserWarning: Duplicate name: u'information.dump'</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> self._zipfile.writestr(stream_name, stream_data)</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*********************************** Counter ************************************</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Stored Events : 28</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Events Included : 28</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Duplicate Removals : 16</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Total Reports : 1</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Report: virustotal : 1</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here, you can see from the report that one of the files had previously been identified by several different antivirus engines as malicious, and the other two haven't been scanned. VirusTotal is also a tagging plugin though, so as well as the analysis report, you can see all the VirusTotal tags in the regular psort output:</span><br />
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">➜ ~ psort.py /tmp/hashing.plaso </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Data files will be loaded from /usr/share/plaso by default.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">datetime,timestamp_desc,source,source_long,message,parser,display_name,tag,store_number,store_index</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2008-01-06T14:51:31+00:00,Creation Time,PE,</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>PE Compilation time</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,PE Type: Executable (EXE) Import hash: f9ade0aa18f660a34a4fa23392e21838,pe,OS:/tmp/test_directory/pivy.exe,</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>VirusTotal Detections 37</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,2,0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-04-21T14:53:54+00:00,Content Modification Time,PE,PE Delay Import Time,DLL name: USER32.dll PE Type: Executable (EXE) Import hash: 8d0739063fc8f9955cc6696b462544ab,pe,OS:/tmp/test_directory/test_pe.exe,Unknown to VirusTotal,2,2</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-04-21T14:53:54+00:00,Creation Time,PE,PE Compilation time,PE Type: Driver (SYS) Import hash: d9c9c4541168665f44917e3ddc4a00d5,pe,OS:/tmp/test_directory/test_driver.sys,Unknown to VirusTotal,2,1</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-04-21T14:53:55+00:00,Content Modification Time,PE,PE Import Time,DLL name: KERNEL32.dll PE Type: Executable (EXE) Import hash: 8d0739063fc8f9955cc6696b462544ab,pe,OS:/tmp/test_directory/test_pe.exe,Unknown to VirusTotal,2,3</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-04-21T14:53:56+00:00,Creation Time,PE,PE Compilation time,PE Type: Executable (EXE) Import hash: 8d0739063fc8f9955cc6696b462544ab,pe,OS:/tmp/test_directory/test_pe.exe,Unknown to VirusTotal,2,4</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:43:30+00:00,atime;ctime;mtime,FILE,OS atime;ctime;mtime,OS:/tmp/test_directory/test_pe.exe,filestat,OS:/tmp/test_directory/test_pe.exe,Unknown to VirusTotal,2,6</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:43:37+00:00,atime;ctime;mtime,FILE,OS atime;ctime;mtime,OS:/tmp/test_directory/test_driver.sys,filestat,OS:/tmp/test_directory/test_driver.sys,Unknown to VirusTotal,2,8</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:48:50+00:00,atime;mtime,FILE,OS atime;mtime,OS:/tmp/test_directory/pivy.exe,filestat,OS:/tmp/test_directory/pivy.exe,VirusTotal Detections 37,2,9</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:49:20+00:00,ctime,FILE,OS ctime,OS:/tmp/test_directory/pivy.exe,filestat,OS:/tmp/test_directory/pivy.exe,VirusTotal Detections 37,2,10</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:52:05+00:00,atime,FILE,OS atime,OS:/tmp/test_directory/test_driver.sys,filestat,OS:/tmp/test_directory/test_driver.sys,Unknown to VirusTotal,2,12</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:52:05+00:00,atime,FILE,OS atime,OS:/tmp/test_directory/test_pe.exe,filestat,OS:/tmp/test_directory/test_pe.exe,Unknown to VirusTotal,2,13</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2015-08-20T08:52:05+00:00,atime,FILE,OS atime,OS:/tmp/test_directory/pivy.exe,filestat,OS:/tmp/test_directory/pivy.exe,</span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.3333px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>VirusTotal Detections 37</b></span><span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,2,11</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[INFO] Output processing is done.</span></div>
<b id="docs-internal-guid-77074160-4a6c-89dd-5361-8433c1d6da29" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*********************************** Counter ************************************</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Stored Events : 28</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Events Included : 28</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Duplicate Removals : 16</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Consolas; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is possible due to a couple of other new features in 1.3, <a href="https://github.com/libyal/libsigscan">pysigscan</a> to do faster file identification, and <a href="https://github.com/erocarrera/pefile">pefile</a> to extract timestamps from Portable Executable format files.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Note that the VirusTotal plugin can be a little slow, unless you’ve got an <a href="https://www.virustotal.com/en/faq/#difference-private-api">API key</a> which has a higher rate limit than the default of 4 hashes per minute.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">So that’s what the hashing subsystem looks like in action, let’s take a look at what’s behind this, and how you can make this work for you.</span></div>
<b id="docs-internal-guid-856f8b80-4a68-7ec8-ac16-f1f6e06b0b9b" style="font-weight: normal;"><br /></b>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 17.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What is the hashing support good for?</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mostly bad things. While we have plans to use this Plaso subsystem to help filter out “good” events and files, for the moment, Plaso’s hashing support is best for pointing out files and events that are “bad” (or notable in some other way). Down the line, we plan to add support for filtering out “good” (or irrelevant) events and files, but this is a little more complex.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you activate hashing using the</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> --hashers</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> command line flag to log2timeline.py, Plaso will store file hashes for each file it processes. Once this is done, you can use an analysis plugin to look up the hashes and annotate events derived from files with tags, based on the file hash.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Version 1.3 comes with a couple of proof-of-concept plugins that do this, looking up Windows executables in <a href="https://www.virustotal.com/">VirusTotal </a>(again, this will take a while with the default API key rate-limit) and the <a href="https://github.com/viper-framework/viper">Viper</a> binary analysis and management tool. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This feature will be most useful to examiners that have their own databases or systems containing files they want to alert on. Writing hash analysis plugins is pretty straightforward, and if there’s some system you want Plaso to talk to, have a go at writing an analysis plugin! The code for the <a href="https://github.com/log2timeline/plaso/blob/master/plaso/analysis/viper.py">Viper plugin</a> is the best reference. If you have a system you want to talk to, but can’t work out what’s required, feel free to reach out on the <a href="https://groups.google.com/forum/#!forum/log2timeline-dev">development mailing list</a>.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 17.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Performance impact</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One of our initial concerns with adding hashing to Plaso was the performance impact. Normally, Plaso’s parsers test a fairly small amount of each file to determine if it can be parsed, but with hashing turned on Plaso needs to read all of every file to calculate the digest.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Thankfully</span><span style="font-family: Arial; font-size: 14.6667px; line-height: 1.38; white-space: pre-wrap;"> testing thus far shows a very minimal performance impact, adding roughly 1 extra minute for every 30 minutes of log2timeline runtime in our real-world simulating tests. Obviously, this will vary from case, based on how the source data is stored (SSD? Network storage?) and the number and size of files in the source. We’re very interested in feedback on the performance of this feature, so if you find it slow and annoying, or quick and delightful, please let us know.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Given these numbers, we’re planning on enabling SHA256 digest calculation by default in version 1.4, the next Plaso release, depending on the performance we observe over the next few months.</span></div>
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 10pt;">
<span style="background-color: transparent; color: black; font-family: 'Trebuchet MS'; font-size: 17.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Future plans</span></h2>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There are tons more things we’d like to add to the hashing subsystem:</span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Top priority is getting tagging more "good" things, to enable filtering out less relevant events.</span></li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">More digest algorithms. In particularly sdhash and ssdeep</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">More analysis plugins, nsrlsvr and known-good databases</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Extraction short-circuiting - if we’ve already extracted events from a file with this hash, skip it</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Incorporating hash information into other analysis plugins (“this file is set up to autorun, and it’s not in the NSRL or VirusTotal - maybe look at this first”)</span></div>
</li>
</ul>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’ll keep iterating on this, but check this feature out, and let us know if it’s useful to you, and what additions you’d most like to see.</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
Daniel Whitehttp://www.blogger.com/profile/15601329906814633318noreply@blogger.com1