Plaso Autopsy Python Plugin(s) Module
If you ever wanted to run plaso against your image that you have in Autopsy or import a plaso storage file into Autopsy then have I got a deal for you. I have created just such a module for you to use. This plugin actually has 2 plugins in the same directory. One plugin to run plaso against the image that you are running the ingest module against and another plugin to import a plaso storage file.
The plugin to run plaso will run plaso against the image that you are running an ingest on. The plugin has the following UI settings available to it.
Based on the UI above you will have to have plaso installed on your computer. Once plaso is installed you will have to specify the path where it is installed. Since you may want to do this often, I created the option for you to save this setting into a SQLite database and it will populate every time you open the UI for it. Now here is where I would love some feedback. I made this module so that you can either run plaso or import a plaso storage. As you can see the only plaso run parameters, out of the many parameters, that you can actually pick is plaso’s Volume Shadow parameters. I for all partitions to be processed in the run but this could be added as an option. I also run all parsers/plugins against the image, I could add the option to pick which ones you want. Other options to change the way plaso would run could also be added, this is where I would like some feedback. As you can see I have the option to import a plaso storage file which I have another module for that so it can be removed to its own module which would give the plugin more room on the UI. I also added the option to exclude File information from being brought in as you may already have the file time stamps from Autopsy. Once you run this it may run for a looong time depending on how big your image is. It may also take a while to import all the artifacts based on how many you have.
The other plugin will take a plaso storage file and convert it to a SQLite database and then import it into Autopsy. You also have the option here to exclude FILE artifacts types since they may already exist in Autopsy. The screen shot below is what the UI looks like, very similar to the plaso plugin.
Now one of the things I did as I was testing this module was to create a small empty VHD file, about 100 meg, and created a case with the image. I then imported a plaso storage file and was able to look at it. Now the next step will be to be able to import this into the timeline part of Autopsy.
Now what I would like to see is feedback on the UI and if you want to see more options to pick in the UI for a plaso run and if I should remove the plaso import feature from the plaso run since I have a module to do the import already.
You can download the plugin here. As always feedback and comments welcome. Enjoy!
