Skip to content

Instantly share code, notes, and snippets.

@jfstenuit

jfstenuit/Plaso forensics on Debian.md

Last active October 27, 2020 08:48
Show Gist options
  • Save jfstenuit/872b3644b0e8afd9c163c07c98051b27 to your computer and use it in GitHub Desktop.
Save jfstenuit/872b3644b0e8afd9c163c07c98051b27 to your computer and use it in GitHub Desktop.
Download ZIP
Plaso forensics on Debian Buster
Raw
Plaso forensics on Debian.md

The need

You need to extract a timeline from NTFS MFT and UserJrnl from a disk image on your standard linux workstation

The issue

Either the tools are outdated (analyseMFT, log2timeline.pl, ...), or the up-to-date tools are not compatible with the python libraries installed by default on Debian.

The solution

Enable SID (unstable) repository in the APT configuration

The following steps will enable two different debian distributions at once on your system. By default, all installations will use the stable (buster) release, but when explicitely told to do so, the unstable (sid) repository can be used.

Delete /etc/apt/sources.list

Create /etc/apt/preferences.d/unstable.pref

Package: *
Pin: release a=unstable
Pin-Priority: 50

Create /etc/apt/preferences.d/stable.pref

Package: *
Pin: release a=stable
Pin-Priority: 900

Create /etc/apt/sources.list.d/stable.list

deb http://ftp.be.debian.org/debian/ buster main contrib non-free
deb-src http://ftp.be.debian.org/debian/ buster main contrib non-free

deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib non-free

# buster-updates, previously known as 'volatile'
deb http://ftp.be.debian.org/debian/ buster-updates main
deb-src http://ftp.be.debian.org/debian/ buster-updates main

(copy your /etc/apt/sources.list in that file)

Create /etc/apt/sources.list.d/unstable.list

deb http://ftp.be.debian.org/debian/ sid main contrib non-free

Update APT indices

apt-get update

Install most up-to-date Plaso tools

apt-get install python3-plaso/unstable python3-pyparsing/unstable python3-elasticsearch/unstable

Install missing Plaso components

mkdir /usr/share/plaso
wget -O /usr/share/plaso/presets.yaml https://raw.githubusercontent.com/log2timeline/plaso/master/data/presets.yaml

The python3-plaso lacks the required data directory for plaso. Install it from Plaso source repository

Extract your timeline

Create a filter so that only MFT and UsnJrnl are parsed by the tools. Name it l2t-filter.raw

/[\$]MFT
/[\$]Extend/\$UsnJrnl

You can now gather the evidence. Unfortunately, plaso still require some libraries not available on Debian (even on unstable). The solution here is to just ignore the dependencies, as we don't need those libraries for a MFT/USrJrnl timeline.

log2timeline.py --no-dependencies-check --status_view window --no_vss --data /usr/share/plaso -f l2t-filter.raw --parsers "mft,usnjrnl" mft.plaso ${IMG}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment