Plaso
How to process an image using log2timeline/plaso
Verify E01 image using ewfacquire
Since the other Windows-based processes have included image verification, we'll include the use of ewfverify to verify our E01 set.
$ sudo apt install ewf-tools
user@df:~/cases/26038642$ ls -lah
total 11G
drwxrwxr-x 2 user user 4.0K Jul 7 11:37 .
drwxrwxr-x 3 user user 4.0K Jul 7 11:36 ..
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E01
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E02
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E03
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E04
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E05
-rw-rw-r-- 1 user user 1.5G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E06
-rw-rw-r-- 1 user user 1.4G Jul 5 12:04 20240212-decrypted-Windows_Server_2022.E07You only have to specify the first of the E01 segments to verify the entire spanned set.
user@df:~/cases/26038642$ ewfverify 20240212-decrypted-Windows_Server_2022.E01
ewfverify 20140807
Verify started at: Jul 07, 2024 12:11:05
This could take a while
Verify completed at: Jul 07, 2024 12:17:48
Read: 50 GiB (53687091200 bytes) in 6 minute(s) and 43 second(s) with 127 MiB/s (133218588 bytes/second).
MD5 hash stored in file: 9a982399621826a66ff322cc87376e76
MD5 hash calculated over data: 9a982399621826a66ff322cc87376e76
ewfverify: SUCCESSWe can see the result is the data set was verified. The hash also matches the result of FTK Imager's verification process.
Setup and use log2timeline/plaso in Docker
I try to use Docker containers where I can. It helps me separate case files and reduce errors caused by software/version dependencies. You can use plaso on its own, but in this guide we'll use it in a Docker container.
Follow these steps to pull the required plaso container and verify that it's working.
user@df:~/cases/26038642$ docker pull log2timeline/plaso
Using default tag: latest
latest: Pulling from log2timeline/plaso
Digest: sha256:246c53b0c9459f60685b30cb9f749da3fa21159ba2b04c2e6c753150a0850258
Status: Image is up to date for log2timeline/plaso:latest
docker.io/log2timeline/plaso:latest
user@df:~/cases/26038642$ docker run log2timeline/plaso log2timeline.py --version
plaso - log2timeline version 20240308One consideration with using Docker is accessing data stored on the host from within the container itself. I want to generate a super timeline (all of the parsers) for the entire E01. Take the following command for example (this is one line, it's just wrapped)
docker run -v /home/user/cases/26038642/:/data/ log2timeline/plaso log2timeline.py --storage-file /data/26038642.plaso /data/20240212-decrypted-Windows_Server_2022.E01Let's break this command down;
docker run(we're invoking Docker)
-v /home/user/cases/26038642/:/data/ (we're mapping the folder /home/user/cases/26038642 on the host, to /data/ in the container)
log2timeline/plaso (the container we want to run)
log2timeline.py --storage-file /data/26038642.plaso (the command/file we're executing (log2timeline.py) along with the name/location of the file we want to store our data in)
/data/20240212-decrypted-Windows_Server_2022.E01 (our data source - which for E01s, can be the first E01 of the set)
If you execute this, you may see the following error;
Unable to proceed. More than one partitions found but no mediator to determine how they should be used.As the error suggests, there are more than 1 partitions in the image. We can either append--partitions all and process all, or we can specify a specific partition. Let's quickly identify which partition we want to inspect.
user@df:~/cases/26038642$ mkdir /mnt/cases
user@df:~/cases/26038642$ ewfmount 20240212-decrypted-Windows_Server_2022.E01 /mnt/cases
ewfmount 20140807
user@df:~/cases/26038642$ ls /mnt/cases
ewf1
user@df:~/cases/26038642$ disktype /mnt/cases/ewf1
--- /mnt/cases/ewf1
Regular file, size 50 GiB (53687091200 bytes)
DOS/MBR partition map
Partition 1: 100 MiB (104857600 bytes, 204800 sectors from 2048, bootable)
Type 0x07 (HPFS/NTFS)
NTFS file system
Volume size 100.0 MiB (104857088 bytes, 204799 sectors)
Partition 2: 49.29 GiB (52928970752 bytes, 103376896 sectors from 206848)
Type 0x07 (HPFS/NTFS)
NTFS file system
Volume size 49.29 GiB (52928970240 bytes, 103376895 sectors)
Partition 3: 620 MiB (650117120 bytes, 1269760 sectors from 103583744)
Type 0x27 (Unknown)
NTFS file system
Volume size 620.0 MiB (650116608 bytes, 1269759 sectors)
So our entire command becomes;
docker run -v /home/user/cases/26038642/:/data/ log2timeline/plaso log2timeline.py --storage-file /data/26038642.plaso /data/20240212-decrypted-Windows_Server_2022.E01 --partitions 2
It should start processing your image. The amount of time it takes to process is entirely dependent on the specs of your machine.
The resultant file is a 6.3GB SQLite database
user@df:~/cases/26038642$ ls -lah
6.3G Jul 7 12:51 26038642.plaso
user@df:~/cases/26038642$ file 26038642.plaso
26038642.plaso: SQLite 3.x database, last written using SQLite version 3037002, file counter 5, database pages 1635692, cookie 0x14, schema 4, UTF-8, version-valid-for 5Before we convert this SQLite database to a CSV, we need to use a processing option to convert our times to the local time of the victim system. Export the HKLM\SYSTEM hive from the E01 (using FTK Imager or similar) and inspect the following key;
SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyName
In the above image, it's 'GMT Standard Time' which is UTC+0. We don't need to change anything when we process our image to adjust the time offset.
We can run the following command to generate a CSV of all events, using the dynamic processing option.
user@df:~/cases/26038642$ docker run -v /home/user/cases/26038642/:/data/ log2timeline/plaso psort.py /data/26038642.plaso -o dynamic -w /data/26038642.csvLast updated
Was this helpful?