Plaso Import Module Questions

fancy_flare · March 2, 2021, 12:46pm

Hi All,

I have done some searching and I am not 100% clear on a few things with the plaso import module.
I have created a plaso storage file (well several) and have my disk image in Autospy and ran a few ingest modules. Ive also imported the plaso file using the Plaso Import module, pointing the directory for psort to the Autopsy internal directory and found my plaso file. All seems to run well, no issues and ingest says completed. My questions are:

I have read that only ‘some’ of the data will go into the Timeline, is there a way to know what data that is?
What exactly happens when the plaso import module is run. The plaso storage file is converted to an sqlite db and then where is it presented in the UI, if at all?

I have tried to review the module code, but im not a great coder and it wasnt obvious to me, hopefully my question makes sense!

Mark_McKinnon · March 2, 2021, 2:10pm

Hi Shanna,

When you run the Plaso Import module against a Plaso storage engine file it does the following:
1. Runs psort.exe against the storage file to create a SQLite database.
2. The SQLite database is then brought into Autopsy and artifacts are created based on the source of the time-based artifact that is in the SQLite database. The only exception may be if you select not to import the time-based artifacts based on MACB time.
3. At this point there would be nothing that would be brought into the Timeline feature as the artifacts do not match up with the artifacts that have been determined to be in the timeline.

Once the plugin has completed then you should see the artifacts that were created in the tree with a name of "Plaso Source ".

I would have to look further and run a sample of plaso again to see what is generated and what timeline artifacts could be generated. When I created the plugin it was around Autopsy 4.3 which had a different version of the timeline then it does now, maybe the code should be revisited. What version of Plaso are you running against your data source to created your storage file?

Hope this helps.

Mark

fancy_flare · March 2, 2021, 9:51pm

Thanks Mark!
OK, something definitely wrong then as i have no Plaso tree, something for me to look into! Explains why im confused about where the data is

Topic		Replies	Views
Add entries to the Autopsy Timeline from a plugin Autopsy Development	5	1404	June 29, 2020
Plaso module- Updating and filtering Autopsy Help	1	656	March 30, 2021
data source ingest module Autopsy Development	1	703	October 22, 2021
How to run a downloaded Data Source Ingest Module in Autopsy? Autopsy Help	2	803	October 8, 2021
Development - plugins Autopsy Development	4	1190	August 2, 2020

Plaso Import Module Questions

Related Topics