1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
Acknowledgements: plaso
Copyright (C) 2012, Log2Timeline maintainers <log2timeline-maintainers@googlegroups.com>
Please see the AUTHORS file for details on individual authors.
Plaso is a Python rewrite of the log2timeline Perl version.
Plaso is currently developed and maintained by:
* Daniel White
* Joachim Metz
Plaso depends on various other projects. So thanks to the authors
and others involved with these projects:
* Python and modules
* libyaml
* the SleuthKit
* pytsk
* Hachoir (not included in binary release)
Thanks to contributors (alphabetically based on last name):
* Brian Baskin
* Parsers
* BEncode
* Java IDX parser
* Christian Buia
* SCCM
* Johan Berggren
* SQLite plugins
* Zeitgeist activity database
* Petter Bjelland
* Parsers
* Firefox Cache
* Ashley Holtz
* Parsers
* IIS
* Adobe ColdFusion
* Eric John
* Parsers
* Chrome Preferences
* Dominique Kilman
* Parsers
* PCAP
* Marc Leavitt
* Parsers
* PL-SQL recall (PLSRecall.dat)
* Eric Mak
* Preston Miller
* Windows Registry Plugins
* SAM Users
* Shutdown
* USB
* Joaquin Moreno Garijo
* Parsers
* ASL
* BSM
* Cups IPP
* Mac AppFirewall
* Mac KeyChain
* Mac Securityd
* mac_wifi.log
* utmp
* utmpx
* SQLite plugins
* Skype
* Plist plugins
* Airport
* Apple Account
* Install History
* Mac User
* Software Update
* Spotlight
* TimeMachine
* David Nides (@davnads)
* Output modules
* 4n6time SQLite, with thanks to Eric Wong for assistance
* 4n6time MySQL
* Parsers
* Hachoir (meta data)
* OLECF
* OMXL
* Symantec AV Log
* timelib StringToDatetime function
* SQLite plugins
* Google Drive
* Windows Registry plugins
* Office MRU
* Outlook
* Terminal Server Client (RDP)
* Typed Paths
* Typed URLs
* USBStor
* Win7 UserAssist
* WinRar
* Atte Niemi
* Parsers
* Windows User Access Logging (UAL)
* TeamViewer
* Patrik Nisen
* For providing input for parsing the DestList stream for the automatic
destinations OLECF plugin
* Francesco Picasso
* Parsers
* PopContest
* SELinux
* SkyDriveLog
* SkyDriveLogErr
* XChatLog
* XChatScrollBack
* Jordi Sanchez
* For providing:
* binplist
* object filter
* Elizabeth Schweinsberg
* Parsers
* McAfee AV Access Protection Log
* Windows Registry plugins
* MSIE zones
* Marc Séguin
* Windows Registry plugins
* CCleaner
* Keith Wall
* SQLite plugins
* Android calls database
* Android sms database
* updates to the timezone transformation
Test data:
* the contents of the *.exe and *.exe.mui files on bdetogo.raw has been
filled with 0-byte values.
Copied with permission from [the GRR project](https://github.com/google/grr).
* History
* index.dat
* places.sqlite
Copied with permission granted by Jerome Marty.
* WUAUCLT.EXE-830BCC14.pf
Copied with permission granted by Antoine Brodin.
* PartitionsEx-WebCacheV01.dat
* win10-Amcache.hve
Copied with permission granted by Rob Lee.
Copyright SANS Institute - Digital Forensics and Incident Response.
* 1b4dd67f29cb1962.automaticDestinations-ms
* 5afe4de1b92fc382.customDestinations-ms
* Catalog1.edb
* example.lnk
* MFT
* nfury_index.dat
* nromanoff@stark-research-labs.com.pst
* Ntuser.dat (multiple instances)
* Outlook.NK2
* SysEvent.Evt
* System.evtx
* Windows.edb
Copied with permission granted by Ange Albertini.
* test_driver.sys
Copied with permission from [the Greendale data set](https://github.com/dfirlabs/greendale-specimens).
* agdb/student-pc1/AgGlGlobalHistory.db
* mdmp/student-pc1/WER1090.tmp.mdmp
Generated with the [Windows PE/COFF resource file specimens project](https://github.com/dfirlabs/wrc-specimens).
* wrc-test-wevt_template.dll
|
