Using pinfo

Kristinn edited this page Jul 17, 2015 · 5 revisions
Clone this wiki locally

pinfo

pinfo is a command line tool to provide information about the contents of a plaso storage file.

The plaso storage file contains information about:

  • When and how the tool was run
  • Information gathered during the pre-processing stage
  • Metadata about each storage container or store
  • What parsers were used during the extraction phase, parameters used
  • How many extracted events are in the storage file, and count of each parser
  • If there are tagged events, what tag file was used, what tags have been applied and count for each one
  • If analysis plugins have been run, an overview of which have been run and the content of the report

Usage

Usage of pinfo is very simple, however for full list of parameters use the -h or --help switch.

The simplest way to run the tool is to run it without any parameters:

$ pinfo.py test.plaso

--------------------------------------------------------------------------------
                Plaso Storage Information
--------------------------------------------------------------------------------
Storage file:           test.plaso
Serialization format:   json
Source processed:       N/A
Time of processing:     2015-07-16T20:39:40+00:00

Collection information:
        parser_selection = winxp
        recursive = False
        preferred_encoding = UTF-8
        os_detected = Windows
        workers = 0
        output_file = test.plaso
        method = imaged processed
        preprocess = True
        version = 1.3.0
        cmd_line = /usr/bin/log2timeline.py test.plaso test.dd
        debug = False
        runtime = multi process mode
        parsers = bencode, binary_cookies, chrome_cache, chrome_preferences, esedb, filestat, firefox_cache, java_idx, lnk, mcafee_protection, msiecf, olecf, openxml, opera_global, opera_typed_history, pe, plist, prefetch, recycle_bin_info2, skydrive_log, skydrive_log_error, sqlite, symantec_scanlog, winevt, winfirewall, winjob, winreg
        configured_zone = CST6CDT
        protobuf_size = 0

Parser counter information:
        Counter: total = 149925
        Counter: winreg/winreg_default = 87885
        Counter: filestat = 28894
        Counter: pe = 26161
        Counter: msiecf = 3156
        Counter: lnk/shell_items = 1361
        Counter: winreg/windows_services = 831
        Counter: lnk = 483
        Counter: winevt = 364
...

This produces the basic information the storage file stores. To get more verbose output, for instance to see the information collected during the pre-processing stage or content of analysis reports use the verbose switch, -v

$ pinfo.py -v test.plaso
...
Preprocessing information:
        Operating system        : Microsoft Windows XP
        Hostname                : N-1A9ODN6ZXK4LQ
        Time zone               : CST6CDT
        %ProgramFiles%          : Program Files
        %SystemRoot%            : /WINDOWS
        %WinDir%                : /WINDOWS
    Users information:
        Name                    : systemprofile
        SID                     : S-1-5-18
        Profile path            : %systemroot%\system32\config\systemprofile
        Name                    : LocalService
        SID                     : S-1-5-19
        Profile path            : %SystemDrive%\Documents and Settings\LocalService
        Name                    : NetworkService
        SID                     : S-1-5-20
        Profile path            : %SystemDrive%\Documents and Settings\NetworkService
        Name                    : Mr. Evil
        SID                     : S-1-5-21-2000478354-688789844-1708537768-1003
        Profile path            : %SystemDrive%\Documents and Settings\Mr. Evil
    Other:
        Time zone               : CST6CDT
        Operating system        : Windows
        Registry path           : /WINDOWS/system32/config
        store_range             : (1, 1)
        Code page               : cp1252

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...

If analysis plugins have been run the reports are also displayed:

Report generated from: browser_search
Generated on: 2015-07-17T02:52:07+00:00

Report text:
 == ENGINE: GoogleSearch ==
10 who am i
10 what is my ip

Same if there are any tags stored in the storage file.

Parser counter information:
        Counter: Total Tags = 146
        Counter: Application Execution = 144
        Counter: Document Printed = 2

There is also an option to compare two storage files, for instance if you run the tool against a storage media file, then later re-run the tool and you want to quickly determine if there is a difference between the two storage files (does not go into content, only counters).

$ pinfo.py --compare older_test.plaso test.plaso 

collection_information.version value mismatch 1.3.0_20150716 != 1.3.0_20150713.
counter.filestat value mismatch 49090 != 28894.
counter.total value mismatch 143960 != 123764.

This shows the comparison between two runtimes of the tool against the same test dataset, before a bug was fixed and after. There are two things that changed, the version number increased and there are a lot more filestat events in the newer storage file.