In my previous blog, A Deep Dive into Plaso Log2Timeline Forensic Tools, I covered how to use Plaso Log2Timeline on Ubuntu and parse the timeline. However, I understand that Ubuntu might not be feasible for everyone, so in this post, we'll discuss how to run Plaso on Windows. Note that all command parsers will be the same as in the previous blog.
Getting Started with Docker Desktop
To run Plaso/Log2Timeline on Windows, you'll need Docker Desktop. Follow these steps to get started:
Download Docker Desktop: Docker Desktop
Install Docker: No need to sign in. Just follow the installation prompts and configure it as you would with any other application.
Installing Plaso with Docker
There are two ways to install Plaso with Docker:
Manual Installation: Follow the documentation. https://plaso.readthedocs.io/en/latest/sources/user/Installing-with-docker.html
Docker Pull: Simply search for plaso2timeline in Docker and pull the image. Choose the method that suits you best.
Testing Your Plaso Docker Image
To test your Plaso Docker image, run the following command in PowerShell (ensure Docker is running with administrator privileges): (PowerShell Only)
docker run log2timeline/plaso log2timeline.py --versionIf you get an output, it means Plaso is running successfully.
Lets start-------With Main Stuff :)
Collecting Artifacts
The first step in analysis is to collect artifacts. I recommend using KAPE, which simplifies the process. If possible, collect data in .vhdx format.
Mount the Drive: After collecting the artifacts, mount the drive.
Analysis Methods
Once collection done you can Parse/analyze the artifacts in two ways as per me:
Parse all artifacts separately using Eric Zimmerman's tools, then collect all outputs into one .plaso file for analysis. This method is time-consuming but effective.
Parse most artifacts with Plaso and the $MFT with Eric Zimmerman's MFTECmd tool, then merge them together. Although Plaso can parse the $MFT, I prefer using MFTECmd.
Will Proceed with Second Step:
1. Parsing Artifacts with Plaso
To parse all artifacts except the $MFT, use the following command in PowerShell:
docker run -v E:/C:/data -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers '!mft,!usnjrnl,!filestat' --hashers md5 --status_view window --storage_file /output/akash.plaso /dataExplanation:
-v E:/C:/data: Maps the E:\C directory to /data in the Docker container. (E: is drive \C folder inside drive)
-v D:/Plaso:/output: Maps the D:\Plaso directory to /output in the Docker container.
log2timeline/plaso: Specifies the Docker image.
log2timeline.py: The command to run inside the container.
--parsers '!mft,!usnjrnl,!filestat': Excludes the MFT, USN Journal, and file statistics parsers.
--hashers md5: Uses MD5 hashing.
--status_view window: Sets the status view to a windowed interface.
--storage_file /output/akash.plaso: Specifies the output file path inside the Docker container.
/data: The source directory inside the Docker container.
This command will run Plaso on the contents of E:\C and save the output to D:\Plaso\akash.plaso.
2. Parsing the $MFT with MFTECmd
To parse the $MFT using MFTECmd, run the following command in CMD:
MFTECmd.exe --body D:\Plaso --bodyf D:\Plaso\HOSTNAME.mft.bodyfile --bdl C -f "E:\C\$MFT"Explanation:
D:\Plaso: Output directory.
--bodyf: Specifies the file name in .mft.body.
--bdl C: Specifies the drive letter to use with the bodyfile.
-f "E:\C\$MFT": Path to the MFT file.
3. Adding MFT Data to the Plaso File
Parse the MFT bodyfile and add the data to your Plaso file (in my case akash.plaso) with the following command: (PowerShell)
docker run -v D:/Plaso:/output log2timeline/plaso log2timeline.py --parsers 'mactime' --hashers md5 --status_view window --storage_file /output/akash.plaso /output/HOSTNAME.mft.bodyfileExplanation:
docker run: Starts a Docker container.
-v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container.
log2timeline/plaso: Specifies the Docker image.
log2timeline.py: Command to run inside the container.
--parsers 'mactime': Specifies the parsers to include.
--hashers md5: Uses MD5 hashing.
--status_view window: Sets the status view type.
--storage_file /output/akash.plaso: Specifies the storage file for the timeline.
/output/HOSTNAME.mft.bodyfile: Input bodyfile.
You now have a final akash.plaso file that includes the MFT data as parsed by MFTECmd and all other artifacts parsed by log2timeline parser. After this you can do with this output, transfer this output into Elasticsearch or Any tool you want or you can parse it into csv format for further analysis using timeline explorer.
4. Importing the Plaso File into Elasticsearch for Timesketch
To import the Plaso file into Elasticsearch for use with Timesketch, use the following command: PowerShell
docker run -v D:/Plaso:/output log2timeline/plaso psort.py -o elastic --index_name example_host --server 127.0.0.1 --port 9200 /output/akash.plasoAlternatively, you can use the Timesketch importer:
timesketch_importer -u [username] -p [password] --host http://127.0.0.1 --index_name HOSTNAME --sketch_name EXAMPLE --timeline_name HOSTNAME /output/akash.plaso4.1 Exporting to CSV for Timeline Explorer
You can also parse the akash.plaso file and create a CSV output for analysis with Timeline Explorer: PowerShell
docker run -v D:/Plaso:/output log2timeline/plaso psort.py --output-time-zone utc -o l2tcsv -w /output/timeline.csv /output/akash.plasoExplanation:
docker run: Starts a Docker container.
-v D:/Plaso:/output: Mounts the D:/Plaso directory to /output inside the container.
log2timeline/plaso: Specifies the Docker image.
log2timeline.py: Command to run inside the container.
--output-time-zone for TimeZone to include.
-l2tcsv format for analysis
-w /output/timeline.csv: storing the output in writeable format
/output/akash.plaso: output which will be converted into csv.
Additional Notes
For detailed information on commands such as using a time range for analysis, parsers, and filters, refer to my previous blog. You can adjust the commands for running Plaso on Docker as needed. https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools
By following these steps, you can efficiently run Plaso on Windows and perform comprehensive forensic analysis. Happy analyzing!
Akash Patel
Comments