Notifications

Clear all

log2timeline\plaso Advanced usage & yara rules

General (Technical, Procedural, Software, Hardware etc.)

Last Post by chrism 8 years ago

3 Posts

3 Users

0 Reactions

1,566 Views

RSS

Sahar55

(@sahar55)

Active Member

Joined: 9 years ago

Posts: 16

Topic starter 31/07/2017 10:35 pm

Hi guys,
as many of you probably use log2timeline for Supertimeline creation tool, i thought mabye you guys could share a bit of insight regarding a more advanced usage of log2timeline including more targeted executions.

how do you guys (if at all) use l2t with your yara rules.

I currently use log2timeline in it's most basic usage and i'd like to learn if there are more advanced and targeted ways ways to create the timeline in addition to reducing time consumption.

Quote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

01/08/2017 12:55 am

I don't use plaso or l2t…I prefer a more surgical approach than the way most use this excellent tool. I have used the verified results of Yara rules as pivot points into and out of timelines, adding context and clarity to the analysis.

ReplyQuote

chrism

(@chrism)

Trusted Member

Joined: 16 years ago

Posts: 97

04/08/2017 9:54 pm

I think it's a very good tool. Saves hours of time. I would usually not run "the kitchen sink" and rather use plaso's filters to target logs in specific files only. https://github.com/log2timeline/plaso/wiki/Collection-Filters.

For example a good plaso filter is

/(Users|Documents And Settings)/.+/NTUSER.DAT /(Users|Documents And Settings)/.+/AppData/Local/Microsoft/Windows/UsrClass.dat /Windows/System32/config/.+ /Windows/System32/config/RegBack/.+ /Windows/AppCompat/Programs/Amcache.hve

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
211 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed