“Evidence of” Example Windows Data_Types

Example of filtering for evidence of program execution. registry:key_value

This filter identifies more events than using parsers. Long windows:distributed_link_tracking:creat
command lines can exceed the Windows command line ion
limit and if so, will have to be run in Linux. windows:evtx:record
windows:lnk:link
psort.py -z "UTC" -o l2tcsv -w windows:metadata:deleted_item
execution_of_execution.csv c-drive.plaso windows:prefetch:execution
"message contains 'Prefetch {' or windows:registry:amcache
message contains 'AppCompatCache' or windows:registry:amcache:programs
message contains 'typed the following windows:registry:appcompatcache

Plaso Filtering
cmd' or windows:registry:installation
message contains 'CMD typed' or windows:registry:key_value
message contains 'Last run' or windows:registry:list
message contains 'RunMRU' or
message contains 'MUICache' or
windows:registry:network
windows:registry:office_mru Cheat Sheet 1.03
message contains 'UserAssist key' or windows:registry:sam_users
windows:registry:service
message contains 'Time of Launch' or
Timelines are crucial to DFIR analyst’s
DFIR.SANS.ORG
message contains 'Prefetch' or windows:registry:shutdown
message contains 'SHIMCACHE' or windows:registry:userassist efforts to paint a picture of what
windows:shell_item:file_entry
message contains 'Scheduled' or
message contains '.pf' or windows:srum:application_usage happened on a device or in an
message contains 'was run' or windows:srum:network_connectivity incident. Plaso is a widely adopted
tool for creating timelines. If
message contains 'UEME_' or windows:srum:network_usage
message contains '[PROCESS]'" windows:tasks:job
windows:volume:creation constraints are not focus results Plaso
psort.py -z "UTC" -o l2tcsv -w
Data_types can provide a much finer level of granularity than
can generate overwhelming amounts
execution_test.csv c-drive.plaso
“parser is ‘userassist’ or parser is parsers. There are many other data_types. Take a look here. of data. This cheat sheet provides
‘prefetch’ or parser is ‘amcache’ or https://github.com/mark-hallman/plaso_filters filtering tips and techniques for
parser is ‘windows_run’” efficiently using Plaso.
Data_Type Filter Examples
How To Use This Sheet
$ psort.py -o l2tcsv -w userassist.csv
c-drive.plaso "data_type is This document is aimed to be a reference on
Context Sensitive Fields 'windows:registry:userassist'" the filtering options available with each of the
$ psort.exe -z "UTC" -o l2tcsv -w Plaso tools. Although there is some overlap in
LNK files – drive_serial_number, driv_type, volume_label files_on_usb.csv c-drive.plaso filtering options across the various tools, there
Prefetch – executable, mpaaed_drives, mapped_files, "data_type is 'windows:lnk:link' and
are also filtering options that are unique to a
volume_serial_serial_numbers drive_type == 2"
specific tool. There are also filtering options
EVTX – event_identifier, source_name, message_string $ psort.exe -z "UTC" -o l2tcsv -w that are not widely documented and are shown
chrome.csv c-drive.plaso "data_type
contains “chrome”
here. There are some lists of items, such as
These are just a few examples, there are many more. datatypes, that are not shown in their entirety.
** "drive_type" is an example of a “context “sensitive field, Complete Lists can be found at:
These context sensitive fields where found by reviewing the meaning it is only available for certain types of events. In this case,
Plaso formatters on the Plaso GitHub page. LNK file events. Drive_type == 2 is for removable drives. More
examples at: https://github.com/mark-hallman/plaso_filters
image_export psort Filtering Tips

Files can be extracted by filter file, extension, date Output Formats • Parsers and file filters with log2timeline are a good
filter, signature. The Filter File is the same format as $ psort.py -o list – Shows all available formats practice most of the time.
the file used for log2timeline. • “contains” == case insensitive “is” == case sensitive
Commonly used output formats • No parsers == default to “win7”
$ image_export -f filter_windows.txt
--no_vss -w export_folder_name c- l2tcsv – 17 field legacy log2timeline fixed format • data_types are all lower case.
drive.e01 date,time,timezone,MACB,source,sourcetype,t • All commands are shown with the .py as run from
ype,user,host,short,desc,version,filename,i Ubuntu. Windows version has a .exe extension
Timestamp types: atime, ctime, crtime, bkup node,notes,format,extra • Image_export – easy way to get files out of VSS’s
• Plaso runs very well in Windows. No VM, simple to
$ image_export.py –vss_stores all dynamic – default output 9 fields. Fields can be added or install and you have easy access to your other
-x "doc,docx,xls,xlsx,ppt,pptx,pdf"
removed from this format. datetime, Windows tools.
--date_filter "crtime, 2013-10-21,
2013-10-23" -w c-drive_docs_export c-
timestamp_desc, source, • “date” used in filters is the date field in the
drive.e01
source_long,message, parser, default (dymanic) output
display_name,tag • Multiple psort output files (csv) can be concatenated
dynamic output examples using -–fields & --additional_fields if you have filters that can’t be expressed in a single
statement.
$ psort.py -z "UTC" -o dynamic —
log2timeline additional_fields • Log2timeline can use a dump (.plaso) file as input
"data_type,strings,event_type" -w • Explore Context sensitive fields – look at the GitHub
references on the sheet.
Log2timeline Filtering Options: 1. File filters and 2. Parsers. add_fields.csv
c-drive.plaso • Presets.py can easily be edited to create your
These options can significantly decrease the number of
own groupings of parsers for log2timeline. Think
events returned and time to execute. Eg. 2.5 hours
down to 2.5 minutes.
$ psort.py -z "UTC" -o dynamic --fields custom “win7”
"datetime,macb,data_type,drive_serial_numbe
Example filter files can be found at: r,drive_type" -w winlnk.csv c-drive.plaso Event Tagging
https://github.com/mark-hallman/plaso_filters "data_type is 'windows:lnk:link'"
Tagging populates the “tag” field in the Plaso DB based
Get help and list all the parsers with: Filter on fields that are not in output format upon rules define in the tag file. That tag value can then be
$ log2timeline.py --info $ psort.py -z "UTC" -o l2tcsv -w winlnk.csv used to filter. Tags are assigned to events based upon rules
c-drive.plaso "data_type is defined in the tagging file. An event can be responsive
Use filter file and process no VSS’s: 'windows:lnk:link' and drive_type == 2" more than one tag rule or to no rule at all. Events that are
$ log2timeline.py -f responsive to more than one expression will have a tag
filter_windows.txt Start with date as a filter. Best for larger ranges. value similar to (tag1, tag2, tag5). The tag field can include
--no_vss c-drive.plaso c-drive.E01 psort.py -z "UTC" -w date_filtered.csv c- in your output when using the Dynamic output format (-o
drive.plaso "date > '2018-10-11 00:00:00' dynamic)
Use filter file, process All VSS’s (and live) and use a list AND date < '2018-10-22 023:59:59'" The message, also referred to as long_desc, can’t be used
of parsers
in a tagging file expression.
$ log2timeline.py -f Time Slice – Best for smaller, targeted, ranges.
filter_windows.txt –parsers Run the tagging process with tag_file
psort.py -z "UTC" --slice '2018-10-22
“amcache,prefetch,userassist” 010:59:59' –slice_size 1 -w sliced.csv c- psort.exe -o null --analysis tagging --
--vss_stores all c-drive.plaso c- drive.plaso tagging-file tag_windows.txt -w c-
drive.E01 drive.plaso
Slicer – Event context- Nbr of events surrounding each filtered Use the tags that were populated in the step above to
Source does not have to be an image event filter
$ log2timeline.py triage.plaso psort.py -z "UTC" --slice_size 20 --slicer
/mnt/windows_mount psort.exe -o l2tcsv -w
-w slicer.csv c-drive.plaso “data_type is tagged_results.csv c-drive.plaso tag
windows:prefetch:execution and “date > is application_execution and tag is
'2018-10-11 00:00:00' and date < '2018-10- application_install
22 023:59:59
time_slice parameter is minutes. Example Tag File: https://github.com/mark-
hallman/plaso_filters