log2timeline\plaso ...
 
Notifications
Clear all

log2timeline\plaso Advanced usage & yara rules

3 Posts
3 Users
0 Likes
1,025 Views
(@sahar55)
Posts: 16
Active Member
Topic starter
 

Hi guys,
as many of you probably use log2timeline for Supertimeline creation tool, i thought mabye you guys could share a bit of insight regarding a more advanced usage of log2timeline including more targeted executions.

how do you guys (if at all) use l2t with your yara rules.

I currently use log2timeline in it's most basic usage and i'd like to learn if there are more advanced and targeted ways ways to create the timeline in addition to reducing time consumption.

 
Posted : 31/07/2017 9:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I don't use plaso or l2t…I prefer a more surgical approach than the way most use this excellent tool. I have used the verified results of Yara rules as pivot points into and out of timelines, adding context and clarity to the analysis.

 
Posted : 31/07/2017 11:55 pm
(@chrism)
Posts: 97
Trusted Member
 

I think it's a very good tool. Saves hours of time. I would usually not run "the kitchen sink" and rather use plaso's filters to target logs in specific files only. https://github.com/log2timeline/plaso/wiki/Collection-Filters.

For example a good plaso filter is

/(Users|Documents And Settings)/.+/NTUSER.DAT
/(Users|Documents And Settings)/.+/AppData/Local/Microsoft/Windows/UsrClass.dat
/Windows/System32/config/.+
/Windows/System32/config/RegBack/.+
/Windows/AppCompat/Programs/Amcache.hve

 
Posted : 04/08/2017 8:54 pm
Share: