Packages and Binaries:
plaso
This is a metapackage that depends on the Python 3 package of the Plaso libraries and scripts.
Installed size: 39 KB
How to install: sudo apt install plaso
Dependencies:
- python3-plaso
python3-plaso
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This package contains a Plaso installation for Python 3.
Installed size: 10.05 MB
How to install: sudo apt install python3-plaso
Dependencies:
- python3
- python3-artifacts
- python3-certifi
- python3-cffi-backend
- python3-cffi-backend-api-max
- python3-cffi-backend-api-min
- python3-chardet
- python3-cryptography
- python3-dateutil
- python3-defusedxml
- python3-dfdatetime
- python3-dfvfs
- python3-dfwinreg
- python3-dtfabric
- python3-elasticsearch
- python3-fsapfs
- python3-idna
- python3-libbde
- python3-libcreg
- python3-libesedb
- python3-libevt
- python3-libevtx
- python3-libewf
- python3-libfsext
- python3-libfshfs
- python3-libfsntfs
- python3-libfsxfs
- python3-libfvde
- python3-libfwnt
- python3-libfwsi
- python3-liblnk
- python3-libluksde
- python3-libmodi
- python3-libmsiecf
- python3-libolecf
- python3-libqcow
- python3-libregf
- python3-libscca
- python3-libsigscan
- python3-libsmdev
- python3-libsmraw
- python3-libvhdi
- python3-libvmdk
- python3-libvsgpt
- python3-libvshadow
- python3-libvslvm
- python3-lz4
- python3-pefile
- python3-pip
- python3-psutil
- python3-pyparsing
- python3-pyxattr
- python3-redis
- python3-requests
- python3-six
- python3-tsk
- python3-tz
- python3-urllib3
- python3-xlsxwriter
- python3-yaml
- python3-yara
- python3-zmq
image_export.py
root@kali:~# image_export.py -h
usage: image_export.py [-h] [--troubles] [-V] [-d] [-q] [-u]
[--artifact_definitions PATH]
[--custom_artifact_definitions PATH] [--data PATH]
[--process_memory_limit SIZE] [--vfs_back_end TYPE]
[--logfile FILENAME] [--partitions PARTITIONS]
[--volumes VOLUMES] [--no_vss] [--vss_only]
[--vss_stores VSS_STORES] [--credential TYPE:DATA]
[--artifact_filters ARTIFACT_FILTERS]
[--artifact_filters_file PATH]
[--date-filter TYPE_START_END] [-f FILE_FILTER]
[-x EXTENSIONS] [--names NAMES]
[--signatures IDENTIFIERS] [-w PATH]
[--include_duplicates] [--no_hashes]
[IMAGE]
This is a simple collector designed to export files inside an image, both within a regular RAW image as well as inside a VSS. The tool uses a collection filter that uses the same syntax as a targeted plaso filter.
positional arguments:
IMAGE The full path to the image file that we are about to
extract files from, it should be a raw image or
another image that Plaso supports.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for
additional input when needed, but terminate with an
error instead.
--artifact_definitions PATH, --artifact-definitions PATH
Path to a directory or file containing artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--custom_artifact_definitions PATH, --custom-artifact-definitions PATH
Path to a directory or file containing custom artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--data PATH Path to a directory containing the data files.
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is
allowed to allocate in bytes, where 0 represents no
limit. The default limit is 4294967296 (4 GiB). This
applies to both the main (foreman) process and the
worker processes. This limit is enforced by the
operating system and will supersede the worker memory
limit (--worker_memory_limit).
--vfs_back_end TYPE, --vfs-back-end TYPE
The preferred dfVFS back-end: "auto", "fsext",
"fshfs", "fsntfs", "tsk" or "vsgpt".
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by
default this file will be named: "image_export-
YYYYMMDDThhmmss.log.gz". Note that the file will be
gzip compressed if the extension is ".gz".
--partitions PARTITIONS, --partition PARTITIONS
Define partitions to be processed. A range of
partitions can be defined as: "3..5". Multiple
partitions can be defined as: "1,3,5" (a list of comma
separated values). Ranges and lists can also be
combined as: "1,3..5". The first partition is 1. All
partitions can be specified with: "all".
--volumes VOLUMES, --volume VOLUMES
Define volumes to be processed. A range of volumes can
be defined as: "3..5". Multiple volumes can be defined
as: "1,3,5" (a list of comma separated values). Ranges
and lists can also be combined as: "1,3..5". The first
volume is 1. All volumes can be specified with: "all".
--no_vss, --no-vss Do not scan for Volume Shadow Snapshots (VSS). This
means that Volume Shadow Snapshots (VSS) are not
processed.
--vss_only, --vss-only
Do not process the current volume if Volume Shadow
Snapshots (VSS) have been selected.
--vss_stores VSS_STORES, --vss-stores VSS_STORES
Define Volume Shadow Snapshots (VSS) (or stores that
need to be processed. A range of stores can be defined
as: "3..5". Multiple stores can be defined as: "1,3,5"
(a list of comma separated values). Ranges and lists
can also be combined as: "1,3..5". The first store is
1. All stores can be defined as: "all".
--credential TYPE:DATA
Define a credentials that can be used to unlock
encrypted volumes e.g. BitLocker. The credential is
defined as type:data e.g. "password:BDE-test".
Supported credential types are: key_data, password,
recovery_password, startup_key. Binary key data is
expected to be passed in BASE-16 encoding
(hexadecimal). WARNING credentials passed via command
line arguments can end up in logs, so use this option
with care.
--artifact_filters ARTIFACT_FILTERS, --artifact-filters ARTIFACT_FILTERS
Names of forensic artifact definitions, provided on
the command command line (comma separated). Forensic
artifacts are stored in .yaml files that are directly
pulled from the artifact definitions project. You can
also specify a custom artifacts yaml file (see
--custom_artifact_definitions). Artifact definitions
can be used to describe and quickly collect data of
interest, such as specific files or Windows Registry
keys.
--artifact_filters_file PATH, --artifact-filters_file PATH
Names of forensic artifact definitions, provided in a
file with one artifact name per line. Forensic
artifacts are stored in .yaml files that are directly
pulled from the artifact definitions project. You can
also specify a custom artifacts yaml file (see
--custom_artifact_definitions). Artifact definitions
can be used to describe and quickly collect data of
interest, such as specific files or Windows Registry
keys.
--date-filter TYPE_START_END, --date_filter TYPE_START_END
Filter based on file entry date and time ranges. This
parameter is formatted as
"TIME_VALUE,START_DATE_TIME,END_DATE_TIME" where
TIME_VALUE defines which file entry timestamp the
filter applies to e.g. atime, ctime, crtime, bkup,
etc. START_DATE_TIME and END_DATE_TIME define
respectively the start and end of the date time range.
A date time range requires at minimum start or end to
time of the boundary and END defines the end time.
Both timestamps be set. The date time values are
formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:##
Where # are numeric digits ranging from 0 to 9 and the
seconds fraction can be either 3 or 6 digits. The time
of day, seconds fraction and time zone offset are
optional. The default time zone is UTC. E.g. "atime,
2013-01-01 23:12:14, 2013-02-23". This parameter can
be repeated as needed to add additional date
boundaries, e.g. once for atime, once for crtime, etc.
-f FILE_FILTER, --filter-file FILE_FILTER, --filter_file FILE_FILTER, --file-filter FILE_FILTER, --file_filter FILE_FILTER
List of files to include for targeted collection of
files to parse, one line per file path, setup is
/path|file - where each element can contain either a
variable set in the preprocessing stage or a regular
expression.
-x EXTENSIONS, --extensions EXTENSIONS
Filter on file name extensions. This option accepts
multiple multiple comma separated values e.g.
"csv,docx,pst".
--names NAMES Filter on file names. This option accepts a comma
separated string denoting all file names, e.g. -x
"NTUSER.DAT,UsrClass.dat".
--signatures IDENTIFIERS
Filter on file format signature identifiers. This
option accepts multiple comma separated values e.g.
"esedb,lnk". Use "list" to show an overview of the
supported file format signatures.
-w PATH, --write PATH
The directory in which extracted files should be
stored.
--include_duplicates, --include-duplicates
By default a digest hash (SHA-256) is calculated for
each file (data stream). These hashes are compared to
the previously exported files and duplicates are
skipped. Use this option to include duplicate files in
the export.
--no_hashes, --no-hashes
Do not generate the hashes.json file
And that is how you export files, plaso style.
log2timeline.py
root@kali:~# log2timeline.py -h
usage: log2timeline.py [-h] [--troubles] [-V] [--artifact_definitions PATH]
[--custom_artifact_definitions PATH] [--data PATH]
[--artifact_filters ARTIFACT_FILTERS]
[--artifact_filters_file PATH] [--preferred_year YEAR]
[--process_archives] [--skip_compressed_streams]
[-f FILE_FILTER] [--hasher_file_size_limit SIZE]
[--hashers HASHER_LIST]
[--parsers PARSER_FILTER_EXPRESSION]
[--yara_rules PATH] [--partitions PARTITIONS]
[--volumes VOLUMES] [--language LANGUAGE_TAG]
[--no_extract_winevt_resources] [-z TIME_ZONE]
[--no_vss] [--vss_only] [--vss_stores VSS_STORES]
[--credential TYPE:DATA] [-d] [-q] [-u] [--info]
[--use_markdown] [--no_dependencies_check]
[--logfile FILENAME] [--status_view TYPE] [-t TEXT]
[--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE]
[--single_process] [--process_memory_limit SIZE]
[--temporary_directory DIRECTORY] [--vfs_back_end TYPE]
[--worker_memory_limit SIZE] [--worker_timeout MINUTES]
[--workers WORKERS] [--sigsegv_handler]
[--profilers PROFILERS_LIST]
[--profiling_directory DIRECTORY]
[--profiling_sample_rate SAMPLE_RATE]
[--storage_file PATH] [--storage_format FORMAT]
[--task_storage_format FORMAT]
[SOURCE]
log2timeline is a command line tool to extract events from individual
files, recursing a directory (e.g. mount point) or storage media
image or device.
More information can be gathered from here:
https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html
positional arguments:
SOURCE Path to a source device, file or directory. If the
source is a supported storage media device or image
file, archive file or a directory, the files within
are processed recursively.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
data location arguments:
--artifact_definitions PATH, --artifact-definitions PATH
Path to a directory or file containing artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--custom_artifact_definitions PATH, --custom-artifact-definitions PATH
Path to a directory or file containing custom artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--data PATH Path to a directory containing the data files.
extraction arguments:
--artifact_filters ARTIFACT_FILTERS, --artifact-filters ARTIFACT_FILTERS
Names of forensic artifact definitions, provided on
the command command line (comma separated). Forensic
artifacts are stored in .yaml files that are directly
pulled from the artifact definitions project. You can
also specify a custom artifacts yaml file (see
--custom_artifact_definitions). Artifact definitions
can be used to describe and quickly collect data of
interest, such as specific files or Windows Registry
keys.
--artifact_filters_file PATH, --artifact-filters_file PATH
Names of forensic artifact definitions, provided in a
file with one artifact name per line. Forensic
artifacts are stored in .yaml files that are directly
pulled from the artifact definitions project. You can
also specify a custom artifacts yaml file (see
--custom_artifact_definitions). Artifact definitions
can be used to describe and quickly collect data of
interest, such as specific files or Windows Registry
keys.
--preferred_year YEAR, --preferred-year YEAR
When a format's timestamp does not include a year,
e.g. syslog, use this as the initial year instead of
attempting auto-detection.
--process_archives, --process-archives
Process file entries embedded within archive files,
such as archive.tar and archive.zip. This can make
processing significantly slower.
--skip_compressed_streams, --skip-compressed-streams
Skip processing file content within compressed
streams, such as syslog.gz and syslog.bz2.
-f FILE_FILTER, --filter-file FILE_FILTER, --filter_file FILE_FILTER, --file-filter FILE_FILTER, --file_filter FILE_FILTER
List of files to include for targeted collection of
files to parse, one line per file path, setup is
/path|file - where each element can contain either a
variable set in the preprocessing stage or a regular
expression.
--hasher_file_size_limit SIZE, --hasher-file-size-limit SIZE
Define the maximum file size in bytes that hashers
should process. Any larger file will be skipped. A
size of 0 represents no limit.
--hashers HASHER_LIST
Define a list of hashers to use by the tool. This is a
comma separated list where each entry is the name of a
hasher, such as "md5,sha256". "all" indicates that all
hashers should be enabled. "none" disables all
hashers. Use "--hashers list" or "--info" to list the
available hashers.
--parsers PARSER_FILTER_EXPRESSION
Define which presets, parsers and/or plugins to use,
or show possible values. The expression is a comma
separated string where each element is a preset,
parser or plugin name. Each element can be prepended
with an exclamation mark to exclude the item. Matching
is case insensitive. Examples: "linux,!bash_history"
enables the linux preset, without the bash_history
parser. "sqlite,!sqlite/chrome_history" enables all
sqlite plugins except for chrome_history".
"win7,syslog" enables the win7 preset, as well as the
syslog parser. Use "--parsers list" or "--info" to
list available presets, parsers and plugins.
--yara_rules PATH, --yara-rules PATH
Path to a file containing Yara rules definitions.
--partitions PARTITIONS, --partition PARTITIONS
Define partitions to be processed. A range of
partitions can be defined as: "3..5". Multiple
partitions can be defined as: "1,3,5" (a list of comma
separated values). Ranges and lists can also be
combined as: "1,3..5". The first partition is 1. All
partitions can be specified with: "all".
--volumes VOLUMES, --volume VOLUMES
Define volumes to be processed. A range of volumes can
be defined as: "3..5". Multiple volumes can be defined
as: "1,3,5" (a list of comma separated values). Ranges
and lists can also be combined as: "1,3..5". The first
volume is 1. All volumes can be specified with: "all".
--language LANGUAGE_TAG
The preferred language, which is used for extracting
and formatting Windows EventLog message strings. Use "
--language list" to see a list of supported language
tags. The en-US (LCID 0x0409) language is used as
fallback if preprocessing could not determine the
system language or no language information is
available in the winevt-rc.db database.
--no_extract_winevt_resources, --no-extract-winevt-resources
Do not extract Windows EventLog resources such as
event message template strings. By default Windows
EventLog resources will be extracted when a Windows
EventLog parser is enabled.
-z TIME_ZONE, --zone TIME_ZONE, --timezone TIME_ZONE
preferred time zone of extracted date and time values
that are stored without a time zone indicator. The
time zone is determined based on the source data where
possible otherwise it will default to UTC. Use "list"
to see a list of available time zones.
--no_vss, --no-vss Do not scan for Volume Shadow Snapshots (VSS). This
means that Volume Shadow Snapshots (VSS) are not
processed.
--vss_only, --vss-only
Do not process the current volume if Volume Shadow
Snapshots (VSS) have been selected.
--vss_stores VSS_STORES, --vss-stores VSS_STORES
Define Volume Shadow Snapshots (VSS) (or stores that
need to be processed. A range of stores can be defined
as: "3..5". Multiple stores can be defined as: "1,3,5"
(a list of comma separated values). Ranges and lists
can also be combined as: "1,3..5". The first store is
1. All stores can be defined as: "all".
--credential TYPE:DATA
Define a credentials that can be used to unlock
encrypted volumes e.g. BitLocker. The credential is
defined as type:data e.g. "password:BDE-test".
Supported credential types are: key_data, password,
recovery_password, startup_key. Binary key data is
expected to be passed in BASE-16 encoding
(hexadecimal). WARNING credentials passed via command
line arguments can end up in logs, so use this option
with care.
informational arguments:
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for
additional input when needed, but terminate with an
error instead.
--info Print out information about supported plugins and
parsers.
--use_markdown, --use-markdown
Output lists in Markdown format use in combination
with "--hashers list", "--parsers list" or "--timezone
list"
--no_dependencies_check, --no-dependencies-check
Disable the dependencies check.
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by
default this file will be named: "log2timeline-
YYYYMMDDThhmmss.log.gz". Note that the file will be
gzip compressed if the extension is ".gz".
--status_view TYPE, --status-view TYPE
The processing status view mode: "linear", "none" or
"window".
output arguments:
-t TEXT, --text TEXT Define a free form text string that is prepended to
each path to make it easier to distinguish one record
from another in a timeline (like c:\, or host_w_c:\)
processing arguments:
--buffer_size BUFFER_SIZE, --buffer-size BUFFER_SIZE, --bs BUFFER_SIZE
The buffer size for the output (defaults to 196MiB).
--queue_size QUEUE_SIZE, --queue-size QUEUE_SIZE
The maximum number of queued items per worker
(defaults to 125000)
--single_process, --single-process
Indicate that the tool should run in a single process.
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is
allowed to allocate in bytes, where 0 represents no
limit. The default limit is 4294967296 (4 GiB). This
applies to both the main (foreman) process and the
worker processes. This limit is enforced by the
operating system and will supersede the worker memory
limit (--worker_memory_limit).
--temporary_directory DIRECTORY, --temporary-directory DIRECTORY
Path to the directory that should be used to store
temporary files created during processing.
--vfs_back_end TYPE, --vfs-back-end TYPE
The preferred dfVFS back-end: "auto", "fsext",
"fshfs", "fsntfs", "tsk" or "vsgpt".
--worker_memory_limit SIZE, --worker-memory-limit SIZE
Maximum amount of memory (data segment and shared
memory) a worker process is allowed to consume in
bytes, where 0 represents no limit. The default limit
is 2147483648 (2 GiB). If a worker process exceeds
this limit it is killed by the main (foreman) process.
--worker_timeout MINUTES, --worker-timeout MINUTES
Number of minutes before a worker process that is not
providing status updates is considered inactive. The
default timeout is 15.0 minutes. If a worker process
exceeds this timeout it is killed by the main
(foreman) process.
--workers WORKERS Number of worker processes. The default is the number
of available system CPUs minus one, for the main
(foreman) process.
--sigsegv_handler, --sigsegv-handler
Enables the SIGSEGV handler. WARNING this
functionality is experimental and will a deadlock
worker process if a real segfault is caught, but not
signal SIGSEGV. This functionality is therefore
primarily intended for debugging purposes
profiling arguments:
--profilers PROFILERS_LIST
List of profilers to use by the tool. This is a comma
separated list where each entry is the name of a
profiler. Use "--profilers list" to list the available
profilers.
--profiling_directory DIRECTORY, --profiling-directory DIRECTORY
Path to the directory that should be used to store the
profiling sample files. By default the sample files
are stored in the current working directory.
--profiling_sample_rate SAMPLE_RATE, --profiling-sample-rate SAMPLE_RATE
Profiling sample rate (defaults to a sample every 1000
files).
storage arguments:
--storage_file PATH, --storage-file PATH
The path of the storage file. If not specified, one
will be made in the form <timestamp>-<source>.plaso
--storage_format FORMAT, --storage-format FORMAT
Format of the storage file, the default is: sqlite.
Supported options: sqlite
--task_storage_format FORMAT, --task-storage-format FORMAT
Format for task storage, the default is: sqlite.
Supported options: redis, sqlite
Example usage:
Run the tool against a storage media image (full kitchen sink)
log2timeline.py /cases/mycase/storage.plaso ímynd.dd
Instead of answering questions, indicate some of the options on the
command line (including data from particular VSS stores).
log2timeline.py --vss_stores 1,2 /cases/plaso_vss.plaso image.E01
And that is how you build a timeline using log2timeline...
pinfo.py
root@kali:~# pinfo.py -h
usage: pinfo.py [-h] [--troubles] [-V] [--process_memory_limit SIZE]
[--compare STORAGE_FILE] [--output_format FORMAT]
[--hash TYPE] [--report TYPE] [--sections SECTIONS_LIST] [-v]
[-w OUTPUTFILE]
[PATH]
Shows information about a Plaso storage file, for example how it was collected, what information was extracted from a source, etc.
positional arguments:
PATH Path to a storage file.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is
allowed to allocate in bytes, where 0 represents no
limit. The default limit is 4294967296 (4 GiB). This
applies to both the main (foreman) process and the
worker processes. This limit is enforced by the
operating system and will supersede the worker memory
limit (--worker_memory_limit).
--compare STORAGE_FILE
The path of the storage file to compare against.
--output_format FORMAT, --output-format FORMAT
Format of the output, the default is: text. Supported
options: json, markdown, text.
--hash TYPE Type of hash to output in file_hashes report.
Supported options: md5, sha1, sha256
--report TYPE Report on specific information. Supported options:
browser_search, chrome_extension,
environment_variables, file_hashes, list, none,
windows_services, winevt_providers
--sections SECTIONS_LIST
List of sections to output. This is a comma separated
list where each entry is the name of a section. Use "
--sections list" to list the available sections and "
--sections all" to show all available sections.
-v, --verbose Print verbose output.
-w OUTPUTFILE, --write OUTPUTFILE
Output filename.
psort.py
root@kali:~# psort.py -h
usage: psort.py [-h] [--troubles] [-V] [--analysis PLUGIN_LIST]
[--process_memory_limit SIZE]
[--temporary_directory DIRECTORY] [--worker_memory_limit SIZE]
[--worker_timeout MINUTES] [--logfile FILENAME] [-d] [-q] [-u]
[--status_view TYPE] [--slice DATE_TIME]
[--slice_size SLICE_SIZE] [--slicer] [--data PATH] [-a]
[--language LANGUAGE_TAG] [--dynamic_time]
[--output_time_zone TIME_ZONE] [-o FORMAT] [-w OUTPUT_FILE]
[--fields FIELDS] [--additional_fields ADDITIONAL_FIELDS]
[--profilers PROFILERS_LIST] [--profiling_directory DIRECTORY]
[--profiling_sample_rate SAMPLE_RATE]
[PATH] [FILTER]
Application to read, filter and process output from a Plaso storage file.
positional arguments:
PATH Path to a storage file.
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
Analysis Arguments:
--analysis PLUGIN_LIST
A comma separated list of analysis plugin names to be
loaded or "--analysis list" to see a list of available
plugins.
Processing:
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is
allowed to allocate in bytes, where 0 represents no
limit. The default limit is 4294967296 (4 GiB). This
applies to both the main (foreman) process and the
worker processes. This limit is enforced by the
operating system and will supersede the worker memory
limit (--worker_memory_limit).
--temporary_directory DIRECTORY, --temporary-directory DIRECTORY
Path to the directory that should be used to store
temporary files created during processing.
--worker_memory_limit SIZE, --worker-memory-limit SIZE
Maximum amount of memory (data segment and shared
memory) a worker process is allowed to consume in
bytes, where 0 represents no limit. The default limit
is 2147483648 (2 GiB). If a worker process exceeds
this limit it is killed by the main (foreman) process.
--worker_timeout MINUTES, --worker-timeout MINUTES
Number of minutes before a worker process that is not
providing status updates is considered inactive. The
default timeout is 15.0 minutes. If a worker process
exceeds this timeout it is killed by the main
(foreman) process.
Informational Arguments:
--logfile FILENAME, --log_file FILENAME, --log-file FILENAME
Path of the file in which to store log messages, by
default this file will be named: "psort-
YYYYMMDDThhmmss.log.gz". Note that the file will be
gzip compressed if the extension is ".gz".
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for
additional input when needed, but terminate with an
error instead.
--status_view TYPE, --status-view TYPE
The processing status view mode: "linear", "none" or
"window".
Filter Arguments:
--slice DATE_TIME Date and time to create a time slice around. This
parameter, if defined, will display all events that
happened X minutes before and after the defined date,
where X is controlled by the --slice_size option,
which is 5 minutes by default. The date and time must
be specified in ISO 8601 format including time zone
offset, for example: 20200619T20:09:23+02:00.
--slice_size SLICE_SIZE, --slice-size SLICE_SIZE
Defines the slice size. In the case of a regular time
slice it defines the number of minutes the slice size
should be. In the case of the --slicer it determines
the number of events before and after a filter match
has been made that will be included in the result set.
The default value is 5. See --slice or --slicer for
more details about this option.
--slicer Create a time slice around every filter match. This
parameter, if defined will save all X events before
and after a filter match has been made. X is defined
by the --slice_size parameter.
FILTER A filter that can be used to filter the dataset before
it is written into storage. More information about the
filters and how to use them can be found here: https:/
/plaso.readthedocs.io/en/latest/sources/user/Event-
filters.html
Input Arguments:
--data PATH Path to a directory containing the data files.
Output Arguments:
-a, --include_all, --include-all
By default the psort removes duplicate entries from
the output. This parameter changes that behavior so
all events are included.
--language LANGUAGE_TAG
The preferred language, which is used for extracting
and formatting Windows EventLog message strings. Use "
--language list" to see a list of supported language
tags. The en-US (LCID 0x0409) language is used as
fallback if preprocessing could not determine the
system language or no language information is
available in the winevt-rc.db database.
--dynamic_time, --dynamic-time
Indicate that the output should use dynamic time.
--output_time_zone TIME_ZONE, --output-time-zone TIME_ZONE
time zone of date and time values written to the
output, if supported by the output format. Output
formats that support this are: dynamic and l2t_csv.
Use "list" to see a list of available time zones.
Output Format Arguments:
-o FORMAT, --output_format FORMAT, --output-format FORMAT
The output format. Use "-o list" to see a list of
available output formats.
-w OUTPUT_FILE, --write OUTPUT_FILE
Output filename.
--fields FIELDS Defines which fields should be included in the output.
--additional_fields ADDITIONAL_FIELDS, --additional-fields ADDITIONAL_FIELDS
Defines extra fields to be included in the output, in
addition to the default fields, which are datetime,
timestamp_desc, source, source_long, message, parser,
display_name, tag.
profiling arguments:
--profilers PROFILERS_LIST
List of profilers to use by the tool. This is a comma
separated list where each entry is the name of a
profiler. Use "--profilers list" to list the available
profilers.
--profiling_directory DIRECTORY, --profiling-directory DIRECTORY
Path to the directory that should be used to store the
profiling sample files. By default the sample files
are stored in the current working directory.
--profiling_sample_rate SAMPLE_RATE, --profiling-sample-rate SAMPLE_RATE
Profiling sample rate (defaults to a sample every 1000
files).
psteal.py
root@kali:~# psteal.py -h
usage: psteal.py [-h] [--troubles] [-V] [--artifact_definitions PATH]
[--custom_artifact_definitions PATH] [--data PATH]
[--preferred_year YEAR] [--process_archives]
[--skip_compressed_streams] [--hasher_file_size_limit SIZE]
[--hashers HASHER_LIST] [--parsers PARSER_FILTER_EXPRESSION]
[--storage_file PATH] [--partitions PARTITIONS]
[--volumes VOLUMES] [--language LANGUAGE_TAG]
[--no_extract_winevt_resources] [-z TIME_ZONE] [--no_vss]
[--vss_only] [--vss_stores VSS_STORES]
[--credential TYPE:DATA] [-d] [-q] [-u]
[--no_dependencies_check] [--status_view TYPE]
[--source SOURCE] [--dynamic_time]
[--output_time_zone TIME_ZONE] [-o FORMAT] [-w OUTPUT_FILE]
[--fields FIELDS] [--additional_fields ADDITIONAL_FIELDS]
[--buffer_size BUFFER_SIZE] [--queue_size QUEUE_SIZE]
[--single_process] [--process_memory_limit SIZE]
[--temporary_directory DIRECTORY] [--vfs_back_end TYPE]
[--worker_memory_limit SIZE] [--worker_timeout MINUTES]
[--workers WORKERS]
psteal is a command line tool to extract events from individual
files, recursing a directory (e.g. mount point) or storage media
image or device. The output events will be stored in a storage file.
This tool will then read the output and process the events into a CSV
file.
More information can be gathered from here:
https://plaso.readthedocs.io/en/latest/sources/user/Using-log2timeline.html
options:
-h, --help Show this help message and exit.
--troubles Show troubleshooting information.
-V, --version Show the version information.
data location arguments:
--artifact_definitions PATH, --artifact-definitions PATH
Path to a directory or file containing artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--custom_artifact_definitions PATH, --custom-artifact-definitions PATH
Path to a directory or file containing custom artifact
definitions, which are .yaml files. Artifact
definitions can be used to describe and quickly
collect data of interest, such as specific files or
Windows Registry keys.
--data PATH Path to a directory containing the data files.
extraction arguments:
--preferred_year YEAR, --preferred-year YEAR
When a format's timestamp does not include a year,
e.g. syslog, use this as the initial year instead of
attempting auto-detection.
--process_archives, --process-archives
Process file entries embedded within archive files,
such as archive.tar and archive.zip. This can make
processing significantly slower.
--skip_compressed_streams, --skip-compressed-streams
Skip processing file content within compressed
streams, such as syslog.gz and syslog.bz2.
--hasher_file_size_limit SIZE, --hasher-file-size-limit SIZE
Define the maximum file size in bytes that hashers
should process. Any larger file will be skipped. A
size of 0 represents no limit.
--hashers HASHER_LIST
Define a list of hashers to use by the tool. This is a
comma separated list where each entry is the name of a
hasher, such as "md5,sha256". "all" indicates that all
hashers should be enabled. "none" disables all
hashers. Use "--hashers list" or "--info" to list the
available hashers.
--parsers PARSER_FILTER_EXPRESSION
Define which presets, parsers and/or plugins to use,
or show possible values. The expression is a comma
separated string where each element is a preset,
parser or plugin name. Each element can be prepended
with an exclamation mark to exclude the item. Matching
is case insensitive. Examples: "linux,!bash_history"
enables the linux preset, without the bash_history
parser. "sqlite,!sqlite/chrome_history" enables all
sqlite plugins except for chrome_history".
"win7,syslog" enables the win7 preset, as well as the
syslog parser. Use "--parsers list" or "--info" to
list available presets, parsers and plugins.
--storage_file PATH, --storage-file PATH
The path of the storage file. If not specified, one
will be made in the form <timestamp>-<source>.plaso
--partitions PARTITIONS, --partition PARTITIONS
Define partitions to be processed. A range of
partitions can be defined as: "3..5". Multiple
partitions can be defined as: "1,3,5" (a list of comma
separated values). Ranges and lists can also be
combined as: "1,3..5". The first partition is 1. All
partitions can be specified with: "all".
--volumes VOLUMES, --volume VOLUMES
Define volumes to be processed. A range of volumes can
be defined as: "3..5". Multiple volumes can be defined
as: "1,3,5" (a list of comma separated values). Ranges
and lists can also be combined as: "1,3..5". The first
volume is 1. All volumes can be specified with: "all".
--language LANGUAGE_TAG
The preferred language, which is used for extracting
and formatting Windows EventLog message strings. Use "
--language list" to see a list of supported language
tags. The en-US (LCID 0x0409) language is used as
fallback if preprocessing could not determine the
system language or no language information is
available in the winevt-rc.db database.
--no_extract_winevt_resources, --no-extract-winevt-resources
Do not extract Windows EventLog resources such as
event message template strings. By default Windows
EventLog resources will be extracted when a Windows
EventLog parser is enabled.
-z TIME_ZONE, --zone TIME_ZONE, --timezone TIME_ZONE
preferred time zone of extracted date and time values
that are stored without a time zone indicator. The
time zone is determined based on the source data where
possible otherwise it will default to UTC. Use "list"
to see a list of available time zones.
--no_vss, --no-vss Do not scan for Volume Shadow Snapshots (VSS). This
means that Volume Shadow Snapshots (VSS) are not
processed.
--vss_only, --vss-only
Do not process the current volume if Volume Shadow
Snapshots (VSS) have been selected.
--vss_stores VSS_STORES, --vss-stores VSS_STORES
Define Volume Shadow Snapshots (VSS) (or stores that
need to be processed. A range of stores can be defined
as: "3..5". Multiple stores can be defined as: "1,3,5"
(a list of comma separated values). Ranges and lists
can also be combined as: "1,3..5". The first store is
1. All stores can be defined as: "all".
--credential TYPE:DATA
Define a credentials that can be used to unlock
encrypted volumes e.g. BitLocker. The credential is
defined as type:data e.g. "password:BDE-test".
Supported credential types are: key_data, password,
recovery_password, startup_key. Binary key data is
expected to be passed in BASE-16 encoding
(hexadecimal). WARNING credentials passed via command
line arguments can end up in logs, so use this option
with care.
informational arguments:
-d, --debug Enable debug output.
-q, --quiet Disable informational output.
-u, --unattended Enable unattended mode and do not ask the user for
additional input when needed, but terminate with an
error instead.
--no_dependencies_check, --no-dependencies-check
Disable the dependencies check.
--status_view TYPE, --status-view TYPE
The processing status view mode: "linear", "none" or
"window".
input arguments:
--source SOURCE The source to process
output arguments:
--dynamic_time, --dynamic-time
Indicate that the output should use dynamic time.
--output_time_zone TIME_ZONE, --output-time-zone TIME_ZONE
time zone of date and time values written to the
output, if supported by the output format. Output
formats that support this are: dynamic and l2t_csv.
Use "list" to see a list of available time zones.
output format arguments:
-o FORMAT, --output_format FORMAT, --output-format FORMAT
The output format. Use "-o list" to see a list of
available output formats.
-w OUTPUT_FILE, --write OUTPUT_FILE
Output filename.
--fields FIELDS Defines which fields should be included in the output.
--additional_fields ADDITIONAL_FIELDS, --additional-fields ADDITIONAL_FIELDS
Defines extra fields to be included in the output, in
addition to the default fields, which are datetime,
timestamp_desc, source, source_long, message, parser,
display_name, tag.
processing arguments:
--buffer_size BUFFER_SIZE, --buffer-size BUFFER_SIZE, --bs BUFFER_SIZE
The buffer size for the output (defaults to 196MiB).
--queue_size QUEUE_SIZE, --queue-size QUEUE_SIZE
The maximum number of queued items per worker
(defaults to 125000)
--single_process, --single-process
Indicate that the tool should run in a single process.
--process_memory_limit SIZE, --process-memory-limit SIZE
Maximum amount of memory (data segment) a process is
allowed to allocate in bytes, where 0 represents no
limit. The default limit is 4294967296 (4 GiB). This
applies to both the main (foreman) process and the
worker processes. This limit is enforced by the
operating system and will supersede the worker memory
limit (--worker_memory_limit).
--temporary_directory DIRECTORY, --temporary-directory DIRECTORY
Path to the directory that should be used to store
temporary files created during processing.
--vfs_back_end TYPE, --vfs-back-end TYPE
The preferred dfVFS back-end: "auto", "fsext",
"fshfs", "fsntfs", "tsk" or "vsgpt".
--worker_memory_limit SIZE, --worker-memory-limit SIZE
Maximum amount of memory (data segment and shared
memory) a worker process is allowed to consume in
bytes, where 0 represents no limit. The default limit
is 2147483648 (2 GiB). If a worker process exceeds
this limit it is killed by the main (foreman) process.
--worker_timeout MINUTES, --worker-timeout MINUTES
Number of minutes before a worker process that is not
providing status updates is considered inactive. The
default timeout is 15.0 minutes. If a worker process
exceeds this timeout it is killed by the main
(foreman) process.
--workers WORKERS Number of worker processes. The default is the number
of available system CPUs minus one, for the main
(foreman) process.
Example usage:
Run the tool against a storage media image (full kitchen sink)
psteal.py --source ímynd.dd -w imynd.timeline.txt
And that is how you build a timeline using psteal...
Updated on: 2024-Feb-16