File: Using-pinfo.md

package info (click to toggle)
plaso 20190131-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 410,832 kB
  • sloc: python: 76,636; sh: 926; makefile: 167; xml: 70; sql: 14; vhdl: 11
file content (129 lines) | stat: -rw-r--r-- 5,240 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# Using pinfo.py

**pinfo** is a command line tool to provide information about the contents of a plaso storage file. 

The plaso storage file contains information about:

 + When and how the tool was run
 + Information gathered during the pre-processing stage
 + Metadata about each storage container or store
 + What parsers were used during the extraction phase, parameters used
 + How many extracted events are in the storage file, and count of each parser
 + If there are tagged events, what tag file was used, what tags have been applied and count for each one
 + If analysis plugins have been run, an overview of which have been run and the content of the report

## Usage

Usage of **pinfo** is very simple, however for full list of parameters use the ``-h`` or ``--help`` switch.

The simplest way to run the tool is to run it without any parameters:

```
$ pinfo.py test.plaso

--------------------------------------------------------------------------------
                Plaso Storage Information
--------------------------------------------------------------------------------
Storage file:           test.plaso
Serialization format:   json
Source processed:       N/A
Time of processing:     2015-07-16T20:39:40+00:00

Collection information:
        parser_selection = winxp
        recursive = False
        preferred_encoding = UTF-8
        os_detected = Windows
        workers = 0
        output_file = test.plaso
        method = imaged processed
        preprocess = True
        version = 1.3.0
        cmd_line = /usr/bin/log2timeline.py test.plaso test.dd
        debug = False
        runtime = multi process mode
        parsers = bencode, binary_cookies, chrome_cache, chrome_preferences, esedb, filestat, firefox_cache, java_idx, lnk, mcafee_protection, msiecf, olecf, openxml, opera_global, opera_typed_history, pe, plist, prefetch, recycle_bin_info2, skydrive_log, skydrive_log_error, sqlite, symantec_scanlog, winevt, winfirewall, winjob, winreg
        configured_zone = CST6CDT
        protobuf_size = 0

Parser counter information:
        Counter: total = 149925
        Counter: winreg/winreg_default = 87885
        Counter: filestat = 28894
        Counter: pe = 26161
        Counter: msiecf = 3156
        Counter: lnk/shell_items = 1361
        Counter: winreg/windows_services = 831
        Counter: lnk = 483
        Counter: winevt = 364
...
```

This produces the basic information the storage file stores. To get more verbose output, for instance to see the information collected during the pre-processing stage or content of analysis reports use the verbose switch, ``-v``

```
$ pinfo.py -v test.plaso
...
Preprocessing information:
        Operating system        : Microsoft Windows XP
        Hostname                : N-1A9ODN6ZXK4LQ
        Time zone               : CST6CDT
        %ProgramFiles%          : Program Files
        %SystemRoot%            : /WINDOWS
        %WinDir%                : /WINDOWS
    Users information:
        Name                    : systemprofile
        SID                     : S-1-5-18
        Profile path            : %systemroot%\system32\config\systemprofile
        Name                    : LocalService
        SID                     : S-1-5-19
        Profile path            : %SystemDrive%\Documents and Settings\LocalService
        Name                    : NetworkService
        SID                     : S-1-5-20
        Profile path            : %SystemDrive%\Documents and Settings\NetworkService
        Name                    : Mr. Evil
        SID                     : S-1-5-21-2000478354-688789844-1708537768-1003
        Profile path            : %SystemDrive%\Documents and Settings\Mr. Evil
    Other:
        Time zone               : CST6CDT
        Operating system        : Windows
        Registry path           : /WINDOWS/system32/config
        store_range             : (1, 1)
        Code page               : cp1252

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
```

If analysis plugins have been run the reports are also displayed:

```
Report generated from: browser_search
Generated on: 2015-07-17T02:52:07+00:00

Report text:
 == ENGINE: GoogleSearch ==
10 who am i
10 what is my ip
```

Same if there are any tags stored in the storage file.

```
Parser counter information:
        Counter: Total Tags = 146
        Counter: Application Execution = 144
        Counter: Document Printed = 2
```

There is also an option to compare two storage files, for instance if you run the tool against a storage media file, then later re-run the tool and you want to quickly determine if there is a difference between the two storage files (does not go into content, only counters).

```
$ pinfo.py --compare older_test.plaso test.plaso 

collection_information.version value mismatch 1.3.0_20150716 != 1.3.0_20150713.
counter.filestat value mismatch 49090 != 28894.
counter.total value mismatch 143960 != 123764.
```

This shows the comparison between two runtimes of the tool against the same test dataset, before a bug was fixed and after. There are two things that changed, the version number increased and there are a lot more filestat events in the newer storage file.