In our work with Plaso, we were able to install and run the tool on a Windows 7 system (we are also using the DFIR Open Suse Gnome virtual machine as the Linux OS). Our original plan was to install Plaso on Sift 2.14, but this proved to be both difficult and time consuming. Sift 2.14 runs on an older version of Linux, and a number of Plaso dependences are not compatible with this version. The DFIR Linux machine can be downloaded from susestudio.com and comes with Plaso Alpha 1.0.2 already installed. We are still gathering our Linux research, and are unable to make any comparisons with the results from Windows at this time.
The Plaso Log2timeline command is relatively easy to understand. This is the windows command that runs log2timeline through the Plaso backend. This is being run against an image file that contains four separate partitions. Since the image is not mounted while the original Perl Log2timeline was, the offset must be given for the file system in order for log2timeline to be properly parsed. This is referred to as the –o flag. In the original Perl Log2timeline, if an image had more than one partition, each partition would be its own volume and could be run separately when it was mounted; if you tried to run it without the offset, Log2timeline would not be able to determine the file system.
The above screenshot is from a Linux OS. We used fdisk to show the partitions and their offset on the image. Partition 4 (p4) is a NTFS file system. The beginning offset is 65443840; this is where log2timeline will begin the process. This particular partition is a Windows 7 with VSS. Plaso’s log2timeline is capable of parsing out VSS storage volumes. The –vss flag will include the volumes in the analysis. The next portion of the command is the location of the dump file. The dump file is what Psort.exe will be run against. The last segment of the command is the location of the image file to be processed.
The above image shows the end message that appears once log2timeline is done creating the dump file.
The next step is to run the Psort.exe against the dump file created. This is where the dump file is converted into a readable csv document. Plaso was able to parse out around 1.1 million events when we did not include any kind of filter in these commands. These commands represent gathering everything, known as the “kitchen sink approach.”
-Nick Aspinwall