Home
plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.
The initial purpose of plaso was to have the timestamps in a single place for computer forensic analysis (aka Super Timeline).
However plaso has become a framework that supports:
- adding new parsers or parsing plug-ins;
- adding new analysis plug-ins;
- writing one-off scripts to automate repetitive tasks in computer forensic analysis or equivalent.
And is moving to support:
- adding new general purpose parses/plugins that may not have timestamps associated to them;
- adding more analysis context;
- allowing more targeted approach to the collection/parsing.
| Travis-CI | AppVeyor | Coveralls |
|---|---|---|
 |
 |
The information below is based of version 1.2.0
Storage Media Image File Format support is provided by [dfvfs].(https://github.com/log2timeline/dfvfs/wiki#storage-media-types)
Volume System Format support is provided by dfvfs.
File System Format support is provided by dfvfs.
- Apple System Log (ASL)
- Android usage-history (app usage)
- Basic Security Module (BSM)
- Bencode files
- Chrome Disk Cache Format
- CUPS IPP
- Extensible Storage Engine (ESE) Database File (EDB) format using libesedb
- Firefox Cache
- Java IDX
- Jump Lists .customDestinations-ms files
- MacOS-X Application firewall
- MacOS-X Keychain
- MacOS-X Securityd
- MacOS-X Wifi
- (SleuthKit) mactime logs
- McAfee Anti-Virus Logs
- Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) using libmsiecf
- Microsoft IIS log files
- OLE Compound File using libolecf
- Opera Browser history
- OpenXML
- Pcap files
- PL SQL cache file (PL-SQL developer recall files)
- Popularity Contest log
- Property list (plist) format using binplist
- SELinux audit logs
- SkyDrive log and error log files
- SQLite database format using SQLite
- Symantec AV Corporate Edition and Endpoint Protection log
- Syslog
- UTMP
- UTMPX
- Windows Event Log (EVT) using libevt
- Windows Firewall
- Windows Job files (also known as "at jobs")
- Windows Prefetch files
- Windows Recycle bin (INFO2 and $I/$R)
- Windows NT Registry File (REGF) using libregf
- LNK|Windows Shortcut File (LNK) format using liblnk (including shell item support)
- Windows XML Event Log (EVTX) using libevtx
- Xchat and Xchat scrollback files
=== Bencode file formats ===
- Transmission
- uTorrent
=== ESE database file formats ===
- Internet Explorer WebCache format
=== OLE Compound File formats ===
- Document summary information
- Summary information (top-level only)
- Jump Lists .automaticDestinations-ms files
=== Property list (plist) formats ===
- Airport
- Apple Account
- Bluetooth
- Install History
- iPod/iPhone
- Mac User
- Safari history
- Software Update
- Spotlight
- Spotlight Volume Information
- Timemachine
=== SQLite database file formats ===
- Android call logs
- Android SMS
- Chrome cookies
- Chrome browsing and downloads history
- Chrome Extension activity
- Firefox cookies
- Firefox browsing and downloads history
- Google Drive
- Launch services quarantine events
- MacKeeper cache
- Mac OS X document versions
- Skype text conversations
- Zeitgeist activity database
=== Windows Registry formats ===
- AppCompatCache
- BagMRU (or ShellBags)
- CCleaner
- Less Frequently Used (LFU)
- MountPoints2
- Most Recently Used (MRU) MRUList and MRUListEx (including shell item support)
- MSIE Zones
- Office MRU
- Outlook Search
- Run and RunOnce keys
- SAM
- Services
- Shutdown
- Task Scheduler Cache (Task Cache)
- Terminal Server MRU
- Typed URLS
- USB
- USBStor
- UserAssist
- WinRar
- Windows version information
- Project documentation
- Downloads
- Blog: All things time related....
- Mailing lists:
- For general discussions: log2timeline-discuss
- For development: log2timeline-dev
- log2timeline