What can be done using Plaso framework tools ?

[sim...@gmail.com]

Hi, I am writing a newbie blog article about a how-to do stuffs using plaso framework tools. Until now, I managed to write the following how-tos : 

• Install Plaso framework on Windows and Linux.
  
• Extract a list of events from digital evidence to CSV file.
• Apply automatic plugin analysis to a Plaso storage file.

Can you please suggest other How-to that I can add to improve the article ?

https://sim4n6.wordpress.com/2018/10/13/how-to-do-timeline-analysis-using-plaso-framework-and-log2timeline/

 

Thank you in advance

[Joachim Metz]

Depends on what you consider the "plaso framework".
Technically dfVFS and dfWinReg are part of the "framework"

> sudo apt install plaso

please do not use the Debian/Ubuntu provided version, it is significant old
to install a recent version see:
https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release

> pip install -r requirements.txt

Please do not use pip without virtualenv
https://github.com/log2timeline/plaso/wiki/Running-plaso-in-virtualenv

Nor that we recommend using pip, due to various reasons

Please have a look at the installation instructions for Windows
https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release
The method you describe is not supported by the project

> --
> You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
> To post to this group, send email to log2timeli...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Sim]

On Sat, Oct 13, 2018 at 6:20 PM Joachim Metz <joachi...@gmail.com> wrote:

Depends on what you consider the "plaso framework".
Technically dfVFS and dfWinReg are part of the "framework"

I suppose that Plaso framework contains 05 cmd line tools (log2timelne, psort, psteal, imageexport, pinfo).

  

> sudo apt install plaso

please do not use the Debian/Ubuntu provided version, it is significant old
to install a recent version see:
https://github.com/log2timeline/plaso/wiki/Ubuntu-Packaged-Release

In the article I mention, that the installation of release package available on the debian repo is not recommended so I choose to install the dev version from code source. 

> pip install -r requirements.txt

Please do not use pip without virtualenv
https://github.com/log2timeline/plaso/wiki/Running-plaso-in-virtualenv

Nor that we recommend using pip, due to various reasons

So the method I suggested is not the recommended one without the virtualenv for, for instance, enabling and disabling. 

 

Please have a look at the installation instructions for Windows
https://github.com/log2timeline/plaso/wiki/Windows-Packaged-Release
The method you describe is not supported by the project

I will rewrite the installation process for Linux using Virtualenv and Windows following the previous mentioned link.

Thank you Joachim for your feedback, very useful.

[Joachim Metz]

> I suppose that Plaso framework contains 05 cmd line tools (log2timelne, psort, psteal, imageexport, pinfo).

If you're only considering the plaso tools then I would not use the
term framework (also see:
https://whatis.techtarget.com/definition/framework)
maybe toolset or engine is a better term
(https://github.com/log2timeline/plaso/wiki)

If you do consider dfVFS and dfWinReg you could consider this a framework

dfVFS and dfWinReg are / can be both used separate from plaso as well.
So it kind of depends what message you are trying to provide your reader.

How to use plaso tools?
How to develop plaso?
What plaso is? What the larger idea (framework) behind plaso is?

[Sim]

Thank you again for the feedback, I will stick with "How-to use the Plaso toolset for Timeline Analysis on Linux ?" and I updated the installation part using virtualenv