Skip to content
Joachim Metz edited this page Jun 15, 2018 · 36 revisions

plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.

log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.

The initial purpose of plaso was to have the timestamps in a single place for computer forensic analysis (aka Super Timeline).

However plaso has become a framework that supports:

  • adding new parsers or parsing plug-ins;
  • adding new analysis plug-ins;
  • writing one-off scripts to automate repetitive tasks in computer forensic analysis or equivalent.

And is moving to support:

  • adding new general purpose parses/plugins that may not have timestamps associated to them;
  • adding more analysis context;
  • allowing more targeted approach to the collection/parsing.

Project status

Travis-CI AppVeyor Codecov PyPI
Build Status Build status codecov PyPI version

Supported Formats

The information below is based of version 1.5.0

Storage Media Image File Formats

Storage Media Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

Bencode file formats

  • Transmission
  • uTorrent

ESE database file formats

  • Internet Explorer WebCache format
  • Windows 8 File History

OLE Compound File formats

  • Document summary information
  • Summary information (top-level only)
  • Jump Lists .automaticDestinations-ms files

Property list (plist) formats

  • Airport
  • Apple Account
  • Bluetooth
  • Install History
  • iPod/iPhone
  • Mac User
  • Safari history
  • Software Update
  • Spotlight
  • Spotlight Volume Information
  • Timemachine

SQLite database file formats

  • Android call logs
  • Android SMS
  • Chrome cookies
  • Chrome browsing and downloads history
  • Chrome Extension activity
  • Firefox cookies
  • Firefox browsing and downloads history
  • Google Drive
  • iMessage (iOS and Mac OS X)
  • Kik (iOS)
  • Launch services quarantine events
  • MacKeeper cache
  • Mac OS X document versions
  • Skype text conversations
  • Twitter (iOS)
  • Zeitgeist activity database

Windows Registry formats

  • AppCompatCache
  • BagMRU (or ShellBags)
  • CCleaner
  • Explorer ProgramsCache
  • Less Frequently Used (LFU)
  • MountPoints2
  • Most Recently Used (MRU) MRUList and MRUListEx (including shell item support)
  • MSIE Zones
  • Office MRU
  • Outlook Search
  • Run and RunOnce keys
  • SAM
  • Services
  • Shutdown
  • Task Scheduler Cache (Task Cache)
  • Terminal Server MRU
  • Timezones
  • Typed URLS
  • USB
  • USBStor
  • UserAssist
  • WinRar
  • Windows version information

Hashers Supported

  • MD5
  • SHA1
  • SHA256

Also see

Clone this wiki locally