Plaso
What is Plaso?
PlasoOpen-source Python tool created by Kristinn Gudjonsson that automatically extracts timestamps from many sources to build a 'super timeline' for forensic analysis.
Plaso (Plaso Langar Ad Safna Ollu) is the modern Python rewrite of the original log2timeline Perl tool created by Kristinn Gudjonsson in 2009. It is the standard open-source engine for building 'super timelines' that aggregate timestamps from disk images, individual files, registry hives, browser histories, Windows event logs, Linux syslogs, macOS plist files, mobile artefacts and many other sources via more than 100 parsers. The core command 'log2timeline.py' generates a Plaso storage file, which 'psort.py' then converts to formats such as CSV, JSON or Elasticsearch. Plaso underpins forensic platforms like Timesketch and is widely used in DFIR, threat hunting and lateral-movement reconstruction.
● Examples
- 01
Generating a super timeline of a Windows endpoint with 'log2timeline.py image.E01' and importing the output into Timesketch.
- 02
Filtering Plaso output with 'psort.py' to extract only events within a suspected breach window.
● Frequently asked questions
What is Plaso?
Open-source Python tool created by Kristinn Gudjonsson that automatically extracts timestamps from many sources to build a 'super timeline' for forensic analysis. It belongs to the Forensics & IR category of cybersecurity.
What does Plaso mean?
Open-source Python tool created by Kristinn Gudjonsson that automatically extracts timestamps from many sources to build a 'super timeline' for forensic analysis.
How does Plaso work?
Plaso (Plaso Langar Ad Safna Ollu) is the modern Python rewrite of the original log2timeline Perl tool created by Kristinn Gudjonsson in 2009. It is the standard open-source engine for building 'super timelines' that aggregate timestamps from disk images, individual files, registry hives, browser histories, Windows event logs, Linux syslogs, macOS plist files, mobile artefacts and many other sources via more than 100 parsers. The core command 'log2timeline.py' generates a Plaso storage file, which 'psort.py' then converts to formats such as CSV, JSON or Elasticsearch. Plaso underpins forensic platforms like Timesketch and is widely used in DFIR, threat hunting and lateral-movement reconstruction.
How do you defend against Plaso?
Defences for Plaso typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Plaso?
Common alternative names include: log2timeline, log2timeline.py, Plaso framework.
● Related terms
- forensics-ir№ 1156
Timeline Analysis
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
- forensics-ir№ 668
Memory Forensics
The discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
- forensics-ir№ 1242
Windows Registry Analysis
The forensic examination of Windows Registry hives to recover configuration data, user activity, and evidence of program execution or persistence.
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.