Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Tips and Tricks
Clone this wiki locally
This is a collection of few tips and tricks that can be used with plaso
analyzeMFT and plaso
Plaso can parse the output of analyzeMFT in bodyfile (or mactime) output.
Run analyzeMFT as following:
$ analyzeMFT.py -b output.bodyfile -f input.MFT $ log2timeline.py test.plaso output.bodyfile
The mactime parser of plaso will parse the bodyfile.
Also see: Mactime
Split the output of psort
psort itself does not provide you the option of splitting the file into chunks, however there are other ways to achieve that, such as using the standard Unix tool
$ psort.py test.plaso | split -b 10m - split_output_
This will leave you with the following files:
And so on... the size can be controlled by the ``-b``` parameter of the split command.