Plaso is the backend engine that powers `log2timeline`. It is a [[Computer forensics]] tool. The purpose of Plaso is to collect all timestamped events of interest on a computer system and have them aggregated in as single place for computer forensic analysis. Say you have acquired a disk image (like `E01` or raw `dd` image) and want to create a timeline of events based on a bunch of different sources. You could run: ``` log2timeline.py timeline.plaso image.dd ``` The command might take a long time to finish. When `timeline.plaso` is ready, you can analyze and collaborate with [[Timesketch]]. You could also import it into some [[Log management]] system. You can also use a tool called Timeline Explorer. Next generation [[Computer Security Incident Response Team|CSIRT]] [[Endpoint detection and response]] tools such as [[Carbon Black]], GRR, MIG and FireEye can collect the same type of data, but it is not always 100% reliable. They might not even be deployed. If you run a [[Computer Security Incident Response Team|CSIRT]] for multiple companies that outsource [[Incident response]], infosec utopia obviously cannot be expected. This is a common model described in [[NIST Cybersecurity Framework]]. Watch [Getting Started with Plaso and Log2Timeline](https://www.youtube.com/watch?v=sAvyRwOmE10). Read [Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab](https://dfir.blog/solving-magnet-forensics-ctf-with-plaso-timesketch-colab/). ## Super Timelines Super Timelines include additional information, such as Windows Event Logs, [[Prefetch]], Shellbags, Link Files and numerous other forensic artifacts. ## File System Timelines File System Timelines can be created more quickly, and only include a small subset of data as compared to a Super Timeline. FLS ([[The Sleuth Kit]]) and MFTECmd are the primary tools in this regard.