plaso
plaso copied to clipboard
log2timeline
Super timeline all the things
Per https://github.com/log2timeline/plaso/issues/2588#issuecomment-646495787 add a check for OpenSearch output modules to determine events are correctly imported
* [ ] change 'webview:cookie' to 'android:webview:cookie' * [ ] change 'winrar:history' to 'windows:registry:winrar:history' * [ ] change`ccleaner:configuration` to `windows:registry:ccleaner:configuration` * [ ] change`mac:...` and `macosx:...` to `macos:...` * [...
Instead of generating source-level events from log sources e.g. syslog, audit.log, winevt, extract (more) system-level events, e.g. execution start and stop. A show case CL: https://codereview.appspot.com/223890043/ - Determine what to...
As a follow up to https://github.com/log2timeline/plaso/issues/4266 detect Feb 29 in year-less log file helper and use it to check if year aligns with a leap year
Follow up of https://github.com/log2timeline/plaso/pull/4176#issuecomment-1207428471
**Description of problem:** Running log2timeline with parameters taken from the --help message won't work, as ! is a reserved character in a man shells. ``` # log2timeline.py --parsers "sqlite,!sqlite/chrome_history" -bash:...
improve parser filters to: - [x] ~~add first iteration of functionality to ignore files~~: - ~~Chrome cache files - https://github.com/log2timeline/plaso/pull/468~~ - ~~Firefox 2 cache files - https://github.com/log2timeline/plaso/pull/468~~ - ~~[Firefox cache...
Log files were found in a subfolder under `%SystemRoot%\System32\LogFiles` Example file header: ``` #Software: Microsoft HTTP API 2.0 #Version: 1.0 #Date: YYYY-MM-DD HH:MM:SS #Fields: date time c-ip c-port s-ip s-port...
## One line description of pull request The parser handles the Apple biome files (aka SEGB). Two parser plugins are included for application installation and launch. **Related issue (if applicable):**...
**Describe the problem:** When running on a bitlocker encrypted raw image (dd) and providing credentials, plaso fails to parse artifacts despite the image being correctly decrypted (at least, partially, see...
