Log2timeline Using WSL

Installation

• Kali
• Ubuntu
• Dockor - (My Preference)

Kali

sudo apt-get install plaso

Ubuntu

To install Plaso from the GIFT Personal Package Archive (PPA)

sudo add-apt-repository ppa:gift/stable

Update and install Plaso:

sudo apt-get update
sudo apt-get install plaso-tools

Docker#

Installing Docker

docker pull log2timeline/plaso

Running Docker

docker run -t -i --entrypoint=/bin/bash -v /data<File Location of Host Machine>:/data log2timeline/plaso

Converting Vhdx File to Raw Image

log2timeline require raw image file. To convert vhdx to raw image we would need to install qemu:

To install qemu

sudo apt install qemu-utils

Converting vhdx to raw:

qemu-img convert -O raw 2021-02-02T073114_win10.vhdx win10_demo.raw

Creating Plaso Dump file

log2timeline.py plaso.dump win10_demo.raw

Plaso Dump file information

pinfo.py plaso.dump

Convert plaso file into CSV

To list out all time zone

psort.py --output-time-zone list

Set time zone

psort.py -o l2tcsv -w timeline.csv --output-time-zone Asia/Kolkata plaso.dump

Using date filter

psort.py -o l2tcsv -w timeline.csv --output-time-zone Asia/Kolkata plaso.dump "date > '2021-01-01' AND date < '2021-01-05'"

Reference

• Plaso documentation
• Richard Davis