Section 4.4: Super Timeline & Analysis Flashcards
How does the log2timeline.py tool function? Why is inputting local timezone for the image important?
It extracts events from a group of files, mount point, or a forensic image and saves results in a Plaso storage file. It is important to add the local time zone so that it can convert it to UTC and match the other files.
What is the purpose of the pinfo tool?
It prints out information from a storage file. It has information on how and when the collection took place and any preprocessing stages that were employed.
What is the purpose of the psort tool?
It is a post-processing tool used to filter, sort, and process the storage file. Since the storage file initially isn’t in human readable format, this tool creates it.
What can Plaso parse?
Windows computers, registry, webhistory, Linux, Android, and Mac.
What data sources can the log2timeline.py tool use parse data?
Raw images (.dd), EWF image (.E01), Virtual Disk Image (.vhdx), Physical Devices (sdd), Partitions (–partition), and Triage Folder (\triage-output).
What are the two filter file formats I can use for Plaso and what is the difference between the between the two?
Text-based filter files and YAML files. YAML files can add and exclusion to the path they want to filter.
The example of this text-based filter says what: /(Users|Documents and Settings)/.+/NTUSER.DAT
I am looking for a file within the users or documents and settings followed by any subfolder (.+) which includes a file specifically named NTUSER.DAT.
The example of this text-based filter says what: {systemroot}/winevt/Logs/.+evtx
I am telling it to parse all evtx files stored under the given directory.
What are path expansion variables for the text-based and YAML-based filters?
Text-based ({}) and YAML-based (%%)
To get more columns for supertimeline analysis, what output format should I use?
l2tcsv
What tools can I use to analyze timelines at scale?
Databases like Splunk or ELK are good for investigating multiple timelines. To search for IOC’s in timelines, use yara_match.py. To work with multiple timelines in real-time with other investgators, use Timesketch.
