Ok I have read through the documentation for Plaso, both in the Autopsy docs and Plaso’s own. I have a few questions.
First, I am assuming that the plaso module is parsing through windows event logs, as I don’t see anything that says Autopsy wouldn’t be running that parser in the module, am I correct in that assumption?
And is there a way in the timeline to filter for events only from evtx logs and vice versa?
Basically I’m having trouble figuring out specifically where the events in the timeline are being pulled from.