plaso - Super timeline all the things

  •        12

In short, plaso is a Python-based backend engine for the tool log2timeline. log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.

https://github.com/log2timeline/plaso

Tags
Implementation
License
Platform

   




Related Projects

timesketch - Collaborative forensic timeline analysis

  •    Python

Timesketch is an open source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars.

hindsight - Internet history forensics for Google Chrome/Chromium

  •    Python

Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications (with more to come!). Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline. The only field you are required to complete is "Profile Path". This is the location of the Chrome profile you want to analyze (the default profile paths for different OSes is listed at the bottom of this page). Click "Run" and you'll be taken to the results page in where you can save the results to a spreadsheet (or other formats).

Byte Investigator

  •    Perl

Scripts for parsing and general use in Computer Forensics - Octane Lab

mac-robber

  •    C

mac-robber is a digital forensics and incident response tool that can be used with The Sleuth Kit to create a timeline of file activity for mounted file systems.


flare-wmi

  •    C++

This repository contains various documentation and code projects that describe the Windows Management Instrumentation (WMI) technology. The research was first introduced at Defcon 23 in 2015, and the associated slides are available here: DEFCON_23-WMI-Attacks-Defense-Forensics.pdf. python-cim is a pure Python parser for the WMI repository database. It supports read access to WMI structures via a flexible API. You can use the provided "sample" scripts to dump persistence locations, identify commonly executed software, timeline activity, and recover deleted data.

autopsy - Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools

  •    Java

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card. Installers can be found at: http://www.sf.net/projects/autopsy/files/autopsy

Tweet

  •    PHP

seaofclouds / tweet has always been one of my preferred methods of client-side twitter integration. With the advent of Twitter's 1.1 API and the deprecation of 1.0, client side timeline fetching and parsing is no longer feasable due to the authentication restrictions imposed by OAuth. This exists to serve as a layer in between, serving the JSON directly to Tweet.js and caching it in a flat .json file to compensate for the v1.1 API's access limitations on sites which require more than ~12 loads of a user's timeline per minute. This mod works as an intermediary between seaofclouds / tweet and the twitter JSON api which it uses to fetch tweets. It handles the server-side authentication process and (optionally) caches the JSON file locally to avoid being throttled, which it then passes off to seaofclouds / tweet as normal. Simple yet effective.

diffy - Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response

  •    Python

Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers.

PcapXray - :snowflake: PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction

  •    Python

Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.

TimelineExtension - Windows Timeline & Project Rome Web Extension

  •    TypeScript

A web extension that integrates Windows Timeline support into popular browsers. Timeline Support is a web extension that integrates Windows Timeline support into popular browsers. This is done by publishing your browsing history as activities to the Microsoft Graph (so a Microsoft Account is required to use this extension). Personal Microsoft Accounts are confirmed to work, work and school accounts should work.

sleuthkit

  •    C

The Sleuth Kit (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

sleuthkit - The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data

  •    C

The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS (see docs/ntfs.README) and FAT (see docs/fat.README) file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

Honeypots: Monitoring and Forensics

  •    

The Honeypots: Monitoring and Forensics Project's purpose is to highlight cutting edge techniques, tools and resources for conducting Honeypot Research.

Open Source Computer Forensics Manual

  •    

An open-source manual for computer forensics covering methodology, process and delving into technical standard operating procedures.

Open Computer Forensics Architecture

  •    C++

A modular computer forensics framework.The project aims to be highly modular, robust,fault tolerant, recursive and scalable in order to be usable in large investigations that spawn numerous terabytes of evidence data and covers hundreds of evidence items

OSXAuditor - OS X Auditor is a free Mac OS X computer forensics tool

  •    Javascript

OS X Auditor is a free Mac OS X computer forensics tool. It also looks for suspicious keywords in the .plist themselves.

DARKSURGEON - DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense

  •    PowerShell

DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys.

h4cker - This repository is primarily maintained by Omar Santos and includes resources related to ethical hacking / penetration testing, digital forensics and incident response (DFIR), vulnerability research, exploit development, reverse engineering, and more

  •    Java

This repository includes thousands of cybersecurity-related references and resources and it is maintained by Omar Santos. This GitHub repository has been created to provide supplemental material to several books, video courses, and live training created by Omar Santos and other co-authors. It provides over 6,000 references, scripts, tools, code, and other resources that help offensive and defensive security professionals learn and develop new skills. This GitHub repository provides guidance on how build your own hacking environment, learn about offensive security (ethical hacking) techniques, vulnerability research, exploit development, reverse engineering, malware analysis, threat intelligence, threat hunting, digital forensics and incident response (DFIR), includes examples of real-life penetration testing reports, and more. These courses serve as comprehensive guide for any network and security professional who is starting a career in ethical hacking and penetration testing. It also can help individuals preparing for the Offensive Security Certified Professional (OSCP), the Certified Ethical Hacker (CEH), CompTIA PenTest+ and any other ethical hacking certification. This course helps any cyber security professional that want to learn the skills required to becoming a professional ethical hacker or that want to learn more about general hacking methodologies and concepts.

ROPMEMU - ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.

  •    Python

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks. It adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools. In particular, it is based on memory forensics (as its input is a physical memory dump), code emulation (to faithfully rebuild the original ROP chain), multi-path execution (to extract the ROP chain payload), CFG recovery (to rebuild the original control flow), and a number of compiler transformations (to simplify the final instructions of the ROP chain). Specifically, the memory forensics part is based on Volatility [1] plugins. The emulation and the multi-path part is implemented through the Unicorn emulator [2].