building-super-timelines-with-plaso
Building Super Timelines with Plaso
Authorized Use Only: Build timelines only from evidence you are authorized to analyze. Work from forensic images/copies and preserve chain of custody.
Overview
Plaso (Plaso Langar Að Safna Öllu) is the open-source engine behind log2timeline, the standard for building forensic super timelines — a single chronological, normalized view fusing hundreds of artifact types (file-system MACB times, registry, EVTX, browser history, prefetch, LNK, $UsnJrnl, syslog, and more) into one timeline. Plaso has three core CLI tools:
- log2timeline.py — extracts events from a source (disk image, mount point, directory, or device) into a
.plasostorage file using its large parser/plugin set. - pinfo.py — reports on the contents and processing metadata of a
.plasofile. - psort.py — post-processes, filters, deduplicates, time-zones, and exports the storage file to an output format (CSV, JSON-line, Elasticsearch, Timesketch, etc.).
- psteal.py — convenience wrapper that runs extraction + export in one step.
The resulting timeline is enormous, so analysts triage it in Timesketch — a collaborative, web-based timeline analysis platform that ingests .plaso files (or CSV/JSONL) and supports filtering, tagging, starring, saved searches, and automated analyzers.