Daniel White edited this page Nov 28, 2018 · 33 revisions

Deprecation warning

:warning: The Plaso Github wiki is now deprecated

:warning: Content was migrated to ReadTheDocs

:warning: The information below is likely to be out of date.

:warning: To update the current documentation, send a pull request for change to a file in the docs subdirectory of the Plaso source tree.

plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.

The initial purpose of plaso was to have the timestamps in a single place for computer forensic analysis (aka Super Timeline).

However plaso has become a framework that supports:

  • adding new parsers or parsing plug-ins;
  • adding new analysis plug-ins;
  • writing one-off scripts to automate repetitive tasks in computer forensic analysis or equivalent.

And is moving to support:

  • adding new general purpose parses/plugins that may not have timestamps associated to them;
  • adding more analysis context;
  • allowing more targeted approach to the collection/parsing.

Project status

Travis-CI AppVeyor Codecov PyPI
Build Status Build status codecov PyPI version

Supported Formats

The information below is based of version 1.5.0

Storage Media Image File Formats

Storage Media Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format
  • Windows 8 File History

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)
  • Jump Lists .automaticDestinations-ms files

Property list (plist) formats

  • Airport
  • Apple Account
  • Bluetooth
  • Install History
  • iPod/iPhone
  • Mac User
  • Safari history
  • Software Update
  • Spotlight
  • Spotlight Volume Information
  • Timemachine

SQLite database file formats

  • Android call logs
  • Android SMS
  • Chrome cookies
  • Chrome browsing and downloads history
  • Chrome Extension activity
  • Firefox cookies
  • Firefox browsing and downloads history
  • Google Drive
  • iMessage (iOS and MacOS)
  • Kik (iOS)
  • Launch services quarantine events
  • MacKeeper cache
  • MacOS document versions
  • Skype text conversations
  • Twitter (iOS)
  • Zeitgeist activity database

Windows Registry formats

  • AppCompatCache
  • BagMRU (or ShellBags)
  • CCleaner
  • Explorer ProgramsCache
  • Less Frequently Used (LFU)
  • MountPoints2
  • Most Recently Used (MRU) MRUList and MRUListEx (including shell item support)
  • MSIE Zones
  • Office MRU
  • Outlook Search
  • Run and RunOnce keys
  • SAM
  • Services
  • Shutdown
  • Task Scheduler Cache (Task Cache)
  • Terminal Server MRU
  • Timezones
  • Typed URLS
  • USB
  • USBStor
  • UserAssist
  • WinRar
  • Windows version information

Hashers Supported

  • MD5
  • SHA1
  • SHA256

Also see

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.