As a continuation of the “Introduction to Windows Forensics” series by Richard Davis, this video introduces Plaso and Log2Timeline. Log2Timeline is designed to extract forensic data from a computer system and aggregate it for analysis, and Plaso is the Python-based backend engine that powers the tool.
You’ll take a look at the major changes in Plaso Heimdall (20170930), and see the minor changes incorporated in version 20171118. Then, you’ll jump over to a Linux system and create a timeline for a Windows 10 image. Lastly, you’ll analyze the resulting Excel spreadsheet created by the tool and look at the wealth of information available to an examiner. If you’re new to forensic timelines, and/or are curious about Plaso Heimdall, you’ll quickly learn why the “super timelines” created by these tools are a critical asset to modern day forensics.