Plaso
Plaso (Plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus Plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating targeted timelines.
Supported Formats
The information below is based of version 20221212. See Plaso documentation for the most up to date information.
Storage Media Image File Formats
Storage Media Image File Format support is provided by dfVFS.
Volume System Formats
Volume System Format support is provided by dfVFS.
File System Formats
File System Format support is provided by dfVFS.
File formats
- Android usage history (usage-history.xml) file
- Apple Spotlight store database (store.db) file
- Apple System Log (asl) file
- AWS CloudTrail Log
- Azure Activity Log
- Azure Application Gateway access log
- Basic Security Module (bsm) event auditing file
- Bencoded file
- Compound ZIP file
- CUPS IPP file
- Custom destinations jump list or .customDestinations-ms file
- Docker container configuration file
- Docker container log file
- Docker layer configuration file
- Extensible Storage Engine (ESE) Database File (EDB) format using libesedb
- Fish history file
- Google Chrome or Chromium cache file
- Google Chrome Preferences file
- Google Cloud (GCP) log
- iOS Application Privacy report
- Java WebStart Cache IDX file
- JSON-L log file
- Linux libc6 utmp file
- Locate database file (updatedb)
- MacOS File System Events Disk Log Stream (fseventsd) file
- MacOS keychain database file
- Mac OS X 10.5 utmpx file
- McAfee Anti-Virus access protection log file
- Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) using libmsiecf
- Microsoft (Office) 365 audit log
- Mozilla Firefox Cache version 1 file (version 31 or earlier)
- Mozilla Firefox Cache version 2 file (version 32 or later)
- NetworkMiner .fileinfos file
- NTFS $MFT metadata file using libfsntfs
- NTFS USN change journal ($UsnJrnl:$J) file system metadata file using libfsntfs
- OLE Compound File using libolecf
- Opera global history (global_history.dat) file
- Opera typed history (typed_history.xml) file
- PL SQL cache file (PL-SQL developer recall file) format
- Portable Executable (PE) file
- Property list (plist) format using binplist
- Safari Binary Cookie file
- Sleuth Kit version 3 bodyfile
- SQLite database format using SQLite
- Symantec AV Corporate Edition and Endpoint Protection log file
- Systemd journal file
- text-based log file
- Trend Micro Office Scan Virus Detection log file
- Trend Micro Office Web Reputation log file
- Windows Defender scan DetectionHistory file
- Windows Event Log (evt) using libevt
- Windows NT Registry File (regf) using libregf
- Windows Prefetch files
- Windows $Recycle.Bin $I file
- Windows Recycler INFO2 file
- Windows Restore Point log (rp.log) file
- Windows Scheduled Task job (also known as "at jobs")
- Windows Shortcut File (LNK) format using liblnk
- Windows XML Event Log (evtx) using libevtx
Bencode file formats
- Transmission BitTorrent activity file
- uTorrent active torrent file
Browser cookie formats
- Google Analytics
__utmacookie - Google Analytics
__utmbcookie - Google Analytics
__utmtcookie - Google Analytics
__utmzcookie
Compound ZIP file formats
- OpenXML (OXML) file
ESE database file formats
- Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file
- System Resource Usage Monitor (SRUM) ESE database file
- Windows 8 File History ESE database file
- Windows User Access Logging ESE database file
JSON-L log file formats
- AWS CloudTrail logs
- Azure Activity logs
- Azure Application Gateway access log
- Docker container configuration file
- Docker container log file
- Docker layer configuration file
- Google Cloud (GCP) log
- iOS Application Privacy report
- Microsoft (Office) 365 audit log
OLE Compound File formats
- Automatic destinations jump list OLE compound file or .automaticDestinations-ms file
- Document summary information (\0x05DocumentSummaryInformation)
- Summary information (\0x05SummaryInformation) (top-level only)
Property list (plist) formats
- Airport plist file
- Apple account information plist file
- Apple iOS Car Play application plist file
- iPod, iPad and iPhone plist file
- Launchd plist file
- MacOS Bluetooth plist file
- MacOS installation history plist file
- MacOS software update plist file
- MacOS TimeMachine plist file
- MacOS user plist file
- Safari history plist file
- Spotlight searched terms plist file
- Spotlight volume configuration plist file
SQLite database file formats
- Android call history SQLite database (contacts2.db) file
- Android text messages (SMS) SQLite database (mmssms.dbs) file
- Android WebViewCache SQLite database file
- Android WebView SQLite database file
- Dropbox sync history database (sync_history.db) file
- Google Chrome browsing and downloads history
- Google Chrome 17 - 65 cookies SQLite database file
- Google Chrome 27 and later history SQLite database file
- Google Chrome 66 and later cookies SQLite database file
- Google Chrome 8 - 25 history SQLite database file
- Google Chrome autofill SQLite database (Web Data) file
- Google Chrome extension activity SQLite database file
- Google Drive snapshot SQLite database (snapshot.db) file
- Google Hangouts conversations SQLite database (babel.db) file
- iOS Kik messenger SQLite database (kik.sqlite) file
- iOS network usage SQLite database (netusage.sqlite) file
- iOS powerlog SQLite database (CurrentPowerlog.PLSQL) file
- iOS Screen Time SQLite database (RMAdminStore-Local.sqlite)
- Kodi videos SQLite database (MyVideos.db) file
- MacOS and iOS iMessage database (chat.db, sms.db) file
- MacOS application usage SQLite database (application_usage.sqlite) file
- MacOS document revisions SQLite database file
- MacOS Duet/KnowledgeC SQLites database file
- MacOS launch services quarantine events database SQLite database file
- MacOS MacKeeper cache SQLite database file
- MacOS Notes SQLite database (NotesV7.storedata) file
- MacOS Notification Center SQLite database file
- MacOS Transparency, Consent, Control (TCC) SQLite database (TCC.db) file
- Mozilla Firefox cookies SQLite database file
- Mozilla Firefox browsing and downloads history
- Mozilla Firefox downloads SQLite database (downloads.sqlite) file
- Mozilla Firefox history SQLite database (places.sqlite) file
- Safari history SQLite database (History.db) file
- Skype SQLite database (main.db) file
- Tango on Android profile SQLite database file
- Tango on Android TC SQLite database file
- Twitter on Android SQLite database file
- Twitter on iOS 8 and later SQLite database (twitter.db) file
- Windows 10 Timeline SQLite database (ActivitiesCache.db) file
- Windows diagnosis EventTranscript SQLite database (EventTranscript.db) file
- Zeitgeist activity SQLite database file
Text-based log file formats
- Advanced Packaging Tool (APT) History log file
- Android logcat file
- Apache access log (access.log) file
- AWS ELB Access log file
- Bash history file
- Confluence access log (access.log) file
- Debian package manager log (dpkg.log) file
- Google Drive Sync log file
- Google-formatted log file
- iOS lockdown daemon log
- iOS sysdiag log
- iOS sysdiagnose logd file
- MacOS Application firewall log (appfirewall.log) file
- MacOS security daemon (securityd) log file
- MacOS Wi-Fi log (wifi.log) file
- Microsoft IIS log file
- OneDrive (or SkyDrive) version 1 log file
- OneDrive (or SkyDrive) version 2 log file
- Popularity Contest log file
- PostgreSQL application log file
- Santa log (santa.log) file
- SELinux audit log (audit.log) file
- Snort3/Suricata fast-log alert log (fast.log) file
- Sophos anti-virus log file (SAV.txt) file
- System Center Configuration Manager (SCCM) client log file
- System log (syslog) file
- Viminfo file
- vsftpd log file
- Windows Firewall log file
- Windows SetupAPI log file
- XChat log file
- XChat scrollback log file
- ZSH extended history file
Windows Registry formats
- AMCache (AMCache.hve)
- Application Compatibility Cache or AppCompatCache Registry data
- Background Activity Moderator (BAM) Registry data
- BagMRU (or ShellBags) Registry data
- Boot Execution Registry data
- CCleaner Registry data
- Microsoft Internet Explorer zone settings Registry data
- Microsoft Office MRU Registry data
- Microsoft Outlook search MRU Registry data
- Most Recently Used (MRU) Registry data
- Run and RunOnce Registry data
- Security Accounts Manager (SAM) users Registry data
- Terminal Server Client Connection Registry data
- Terminal Server Client Most Recently Used (MRU) Registry data
- User Assist Registry data
- Windows boot verification Registry data
- Windows drivers and services Registry data
- Windows Explorer mount points Registry data
- Windows Explorer Programs Cache Registry data
- Windows Explorer typed URLs Registry data
- Windows last shutdown Registry data
- Windows log-on Registry data
- Windows network drives Registry data
- Windows networks (NetworkList) Registry data
- Windows Task Scheduler cache Registry data
- Windows time zone Registry data
- Windows USB device Registry data
- Windows USB Plug And Play Manager USBStor Registry data
- Windows version (product) Registry data
- WinRAR History Registry data
Analysis plugins
- file_hashes: Lists all the hashes for all files processed
- tagging: rule-based tagging
- virustotal: Looks up PE files using the VirusTotal API
- viper: Looks up PE files in a Viper instance
History
Plaso is a Python-based rewrite of the Perl-based log2timeline initially created by Kristinn Gudjonsson and extended by the contribution of various others.
Plaso builds upon the The Sleuth Kit, pytsk, libyal, dfVFS and various other projects.
Related tools
This section contains several tools that can help in analyzing Plaso's timeline output:
- 4n6time, formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review. This tool appears to be abandoned.
- Timesketch a collaborative forensic timeline analysis.