Getting Started with Plaso and Log2Timeline - Forensic Timeline Creation
Вставка
- Опубліковано 9 лип 2024
- In this episode, we'll take an in-depth look at how to install and use Plaso/Log2Timeline to create a super timeline of events on a computer system. This is made possible by the automatic parsing of numerous forensic artifacts alongside the extraction of their associated timestamps. The result can be an investigator's dream, providing a single place to look to "find evil" and potentially solve a case. The process isn't without its caveats, but don't worry - we'll cover everything you need to know to get started!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
03:55 - Installing Plaso/Log2Timeline
05:41 - Using log2timeline.py
19:49 - Using pinfo.py
22:02 - Using psort.py
27:51 - Using psteal.py
30:25 - Reviewing Results in Timeline Explorer
36:53 - Recap
🛠 Resources
Plaso Documentation:
plaso.readthedocs.io/en/latest
Installing Plaso on Ubuntu:
plaso.readthedocs.io/en/lates...
AboutDFIR's Timeline Explorer Guide:
aboutdfir.com/toolsandartifac...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics - Наука та технологія
A video about timeline explorer will be a great addition to this great video about l2t
Has to one of the best tutorials, I seen and it has really helped me get started with log2timeline. I'll be back...........
This is the most valuable video on UA-cam today. Thank you so much for taking the time to put together these videos. Personally, I find them extremely helpful. Thanks for sharing!
sir hatssoff to you sir. You are like a hero for learners who can't afford those costly courses. I will never skip any ads on your video. May God bless you
Great video! I think that an in depth presentation of Timeline Explorer will be greatly appreciated. Thank you!
Your videos have help me so much to understand better the SANS FOR508 class, the time and effort that you are doing with these videos help so much the DFIR community, Thank you. I'll be voting for you next time .
I am new to plaso and just started practicing it with Ubuntu. This video helped me so much!
I am studying for my GCFA, and I couldn't make much headway with the course material. Thanks to you, I am back on track.
Really this stuff right here is amazing.
Great to hear!
Fantastic vide. This is the best coverage on this information that I have found. Thanks a ton
great quick review for GCFA, thank you!
Excellent video! I haven't used L2T since I retired 4 years ago and am amazed at how much it's changed now. Makes me want to get back into forensics.
Thanks man, I really appreciate the provided content from your side, informative as always.
Wish you all the best
Mic and Quality is AMAZING :) thx for sharing as always
my favorite channel, please keep going ❤
Really appreciate your efforts for making such great videos. I really would love to see a video on Timeline Explorer.
Great job
this is really an awesome and useful tutorial that i enjoyed and will put to use. I would love to see a tutorial that covers proper usage of timeline explorer. thanks for the tutorial.
Thanks for the video...
Excellent thanks :-)
Timeline Explorer video!
Thank you for all your awesome awesome materials! Have you tried to ingest the csv file into tools like SOF-ELK and timesketch? Maybe a Part II on that?
Not yet, but that's a great idea!
Hi, thank you for sharing such a nice tutorial, I have installed plaso on ubuntu 20 and tried the super timeline, it is found that the -z time zone option changed and even the time frame is not working, hopefully, you update this.
Great video!! I’m wondering if you can do a full end to end of an investigative analysis, say a user opens a macro downloads maliciousness, etc. From the DFIR stand point. For a lot of us not in DFIR we have the bits of knowledge, but it would be great to see how actual DFIR practitioners do it.
That's something I had planned to do for a long while. It's just a matter of having the time to build out the scenario and script it. Meanwhile, check out thedfirreport.com. They have some awesome end-to-end real-world investigation write-ups.
@@13Cubed awesome thank you!
For some reason -z didn't work for me. It kept throwing me errors. Using "--output_time_zone" worked!
Great info...
timeline explorer is a great tool... but...
do you know of any other tools to analise the .csv timeline?
maybe to 'summarize' a bit more... and to gave some graphical hints/tips before the timelineexplorer phase??
or a graphic tool that show a 'Dashboard' so we can get a quick global overview???
Honestly, Timeline Explorer or grep/sed/awk/cut are all I ever use to slice and dice data. If you are looking for visualizations, you could always feed the data into an ELK stack, Splunk, or similar tool.
Hey thanks for great video. I have a question. How i could do to collect a few windows artifact (like mft, amcache etc.) and evtx files to ingest a single timeline output for analysis? I used to Minitimeline mod of KAPE. But it doesn't support anymore. I don't talk about --artifact-filters btw.
You can use a filter file or specify specific parsers that you want to run.
Here's a commonly used filter file:
github.com/mark-hallman/plaso_filters/blob/master/filter_windows.txt
Here's the official documentation for that:
plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html#using-filter-files-for-triage
Here's a list of specific parsers you could use:
plaso.readthedocs.io/en/latest/sources/user/Parsers-and-plugins.html
These things aren't mutually exclusive. You could both specify a filter file AND use parsers, technically.
Love you
Thanks a lot!! Your video is the best tutorial for log2timeline that I've ever found. One question. On some images, E01 or dd, the process gave me an error that refers to the shadow copies. For example: OSERROR: pyvshadow_volume_open_file_object: unable to open volume. And then it goes on with several strings like these one. Can you help me? Thanks a lot
Hmm... can't say I've run across that. Make sure you are using the newest release of the tool. What OS/configuration are you using to run it? Can you try an alternate machine? I find that Ubuntu 20.04 (either via WSL2 or in a separate VM) tends to work well.
If I have an E01 on a Network Storage, how can I add that path as a source?
You'll have to mount the network storage location first. How to do so will vary depending on the OS in use.
26:46 dont work on this time, why?
27 08 2022 now, maybe on new version another command?
i read official site and all true but dont work, help please
Leave off the "-z utc" part -- that's the default anyway. It should work correctly then. If you need to specify an alternate time zone, use --output_time_zone.
Awesome video, will it be possible to make a video on how to install log2timeline on w Ubuntu Terminal on Window 10, Thanks.
Already did :) ua-cam.com/video/g9V6OUCe12k/v-deo.html
When I am using a .E01 file as input I am getting an error unable to scan source with error: unable to read data
Can someone please help
Can you paste the exact error message here along with any other error output? Are you certain the E01 file is valid/not corrupt? You could try to mount it with Arsenal Image Mounter or a similar tool to verify.
how can we get a .dd image file for practice
\
The easiest way is to spin up a VM or use Windows Sandbox and create a test .dd/raw or E01 image for you to use for practice.
Does not seem to work on Windows10
Sure, it will work just fine with Windows 10, provided you have WSL 2 installed, with Ubuntu 20.04 or 22.04. What issue are you having?