building-super-timelines-with-plaso

Installation
SKILL.md

Building Super Timelines with Plaso

Authorized Use Only: Build timelines only from evidence you are authorized to analyze. Work from forensic images/copies and preserve chain of custody.

Overview

Plaso (Plaso Langar Að Safna Öllu) is the open-source engine behind log2timeline, the standard for building forensic super timelines — a single chronological, normalized view fusing hundreds of artifact types (file-system MACB times, registry, EVTX, browser history, prefetch, LNK, $UsnJrnl, syslog, and more) into one timeline. Plaso has three core CLI tools:

  • log2timeline.py — extracts events from a source (disk image, mount point, directory, or device) into a .plaso storage file using its large parser/plugin set.
  • pinfo.py — reports on the contents and processing metadata of a .plaso file.
  • psort.py — post-processes, filters, deduplicates, time-zones, and exports the storage file to an output format (CSV, JSON-line, Elasticsearch, Timesketch, etc.).
  • psteal.py — convenience wrapper that runs extraction + export in one step.

The resulting timeline is enormous, so analysts triage it in Timesketch — a collaborative, web-based timeline analysis platform that ingests .plaso files (or CSV/JSONL) and supports filtering, tagging, starring, saved searches, and automated analyzers.

When to Use

Installs
25
GitHub Stars
24.2K
First Seen
11 days ago
building-super-timelines-with-plaso — mukul975/anthropic-cybersecurity-skills