The simple as pie log2timeline / plaso / psort syntax

After days of going through pages of doco, running tests on terabytes of files, I finally made it all work.

 

log2timeline.py myhost.plaso sourceimage.vmdk

#myhost.plaso is going to be the output body file for psort. This creates the metadata and index. sourceimage.vmdk is the forensic hard disk we are analysing.

ls -lah

#checking to see if it’s created

psort.py -w myhost.csv myhost.plaso

 

Leave a Reply

Discover more from DFIR Insights

Subscribe now to keep reading and get access to the full archive.

Continue reading