performing-timeline-reconstruction-with-plaso

# Performing Timeline Reconstruction with Plaso ## When to Use - When building a comprehensive forensic timeline from multiple evidence sources - For correlating events across file system metadata, event logs, browser history, and registry - During complex investigations requiring chronological reconstruction of activities - When standard log analysis is insufficient to establish the sequence of events - For presenting investigation findings in a visual, chronological format ## Prerequisites - Plaso (log2timeline/psort) installed on forensic workstation - Forensic disk image(s) in raw (dd), E01, or VMDK format - Sufficient storage for Plaso output (can be 10x+ the image size) - Minimum 8GB RAM (16GB+ recommended for large images) - Timeline Explorer (Eric Zimmerman) or Timesketch for visualization - Understanding of timestamp types (MACB: Modified, Accessed, Changed, Born) ## Workflow ### Step 1: Install Plaso and Prepare the Environment ```bash # Install Plaso on Ubuntu/Debian sudo add-apt-repository ppa:gift/stable sudo apt-get update sudo apt-get install plaso-tools # Or install via pip pip install plaso # Or use Docker (recommended for dependency isolation) docker pull log2timeline/plaso # Verify installation log2timeline.py --version psort.py --version # Create output directory mkdir -p /cases/case-2024-001/timeline/ # Verify the forensic image img_stat /cases/case-2024-001/images/evidence.dd ``` ### Step 2: Generate the Plaso Storage File with log2timeline `...