Skip to content
CASE (v0.1.0) proof-of-concept implementation into Plaso.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore WIP: Initial implementation of plaso exporter. Jan 17, 2017
LICENSE.txt added copy of Apache2 Apr 16, 2019 Remove case API and update README Jul 21, 2017

Cyber-investigation Analysis Standard Expression (CASE)

Read the CASE Wiki tab to learn everything you need to know about the Cyber-investigation Analysis Standard Expression (CASE) ontology. For learning about the Unified Cyber Ontology, CASE's parent, see UCO.

CASE Plaso implementation

Note: This POC is not ontology-correct! However, it attempts to adhere to v0.1.0 of CASE.

This is an implementation of exporting plaso storage files into an RDF graph following the CASE ontology.


Install the case API

git clone
pip install CASE-Python-API

Then clone and install requirements.txt

git clone
cd CASE-Plaso-Implementation
pip install -r requirements.txt


Pass the storage file created by the log2timeline tool into the "case_plaso" tool:

python myimage.bin.plaso output.json --format json-ld

I have a question!

Before you post a Github issue or send an email ensure you've done this checklist:

  1. Determined scope of your task. It is not necessary for most parties to understand all aspects of the ontology, mapping methods, and supporting tools.

  2. Familiarize yourself with the labels and search the Issues tab. Typically, only light-blue and red labels should be used by non-admin Github users while the others should be used by CASE Github admins. All but the red Project labels are found in every casework repository.

You can’t perform that action at this time.