Skip to content

log2timeline and Plaso

Jump to bottom
Phil Hagen edited this page Dec 13, 2023 · 5 revisions

log2timeline is a framework for extensive and flexible timeline creation. The Plaso tool, part of the framework, creates what are known as "supertimelines", containing aggregated and normalized forensic artifacts, based primarily on observed time stamps. This gives a forensicator the ability to review a wide range of artifacts in a standardized fashion.

SOF-ELK will parse the CSV format of the Plaso tool's output. The commands below serve as a general guideline on creating a compatible output file that SOF-ELK can handle. These commands are not a substitute for log2timeline and/or Plaso documentation.

Generating a compatible Plaso Output File

  • Generate the Plaso dumpfile
    • log2timeline.py -z UTC --parsers "<%PARSER_LIST%>" --storage-file <%L2T_OUTPUT_FILE%>.plaso <%MOUNTPOINT_OR_DISK_IMAGE%>
  • Use psort.py to generate CSV
    • psort.py --output-time-zone "UTC" -o l2tcsv -w <%PSORT_OUTPUT_FILE%>.csv <%L2T_OUTPUT_FILE%>.plaso "date > '<%START_DATE%> <%START_TIME%>' AND date < '<%END_DATE%> <%END_TIME%>'"

Credits:

Mark Hallman and Mike Pilkington did a lot of the groundwork on a standalone ELK VM used in FOR508. Without their work and help integrating the configuration to SOF-ELK, this would have been a much more difficult task.

All content ©2025 Lewes Technology Consulting, LLC unless otherwise indicated.

Table of Contents

Clone this wiki locally