Plaso In Progress

 LCDI logo_large

Our goal this past week was to have Plaso successfully built and running on SIFT 2.14 so we could begin testing and comparing results. However, this proved to be very difficult. Plaso is built in python, using precise (version 2.7.3), while Sift 2.14 is running on an older version of Linux (lucid). Because certain aspects of Plaso require the precise version, there are compatibility issues with the lucid version of SIFT. This created syntax errors during the build, and some of the dependencies were not installing properly.

To rectify these problems, we reached out to the DFIR mailing list. This is where we found answers and a different Linux system to test on.

Greg Freemyer sent us a link to his SUSE Linux iso that had Plaso already built. The name of the machine is DFIR open SUSE Gnome desktop, and it can be found at susestudio.com. It comes with both log2timeline version 0.65 (the original Perl tool) and Plaso backend version 1.0.2 alpha.

We are currently in the process of transferring data to the virtual machine. The image that we will use to compare both tools is in raw format and about 57 GB in size. The image contains Windows, Linux, and Mac OS partitions. We hope to begin testing immediately.

-Nicholas Aspinwall

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education