Autopsy User Documentation  4.18.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Plaso

Table of Contents

Plaso is a framework for running modules to extract timestamps for various types of files. The Plaso ingest module runs Plaso to generate events that are displayed in the Autopsy Timeline. For more information on Plaso, see the documentation.

Running the Module

The Plaso ingest module runs dozens of individual parsers and can take a long time to run. In testing, the slowest parsers by far were winreg, pe, and chrome_cache. chrome_cache is always disabled as it duplicates events created by the Recent Activity Module. You can choose to enable the winreg and pe modules on the ingest module configuration panel.

plaso_config.png

Plaso will only run on disk image data sources.

Viewing Results

The Plaso events will be shown in the Timeline Timeline. Note that events created by Plaso are not displayed in the Tree Viewer.

plaso_timeline.png

Copyright © 2012-2021 Basis Technology. Generated on Thu Jul 8 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.