القائمة
Generate log2timeline and Plaso super-timelines and triage them in Timesketch.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Extract DPAPI-protected secrets such as credentials and browser data offline and online.
Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.
Test vector stores for embedding inversion, cross-tenant leakage, and poisoning.
Enumerate Entra ID with ROADrecon and acquire and exchange tokens with roadtx.
Run OAuth 2.0 device-code and illicit-consent phishing against Microsoft Entra ID to steal access and refresh tokens, bypass MFA, and pivot across Microsoft 365 services.
Run Microsoft Entra ID tenant reconnaissance, token acquisition and manipulation, and federation backdoor testing with the AADInternals PowerShell toolkit to validate identity-attack resilience.
| name | building-super-timelines-with-plaso |
| description | Generate log2timeline and Plaso super-timelines and triage them in Timesketch. |
| domain | cybersecurity |
| subdomain | digital-forensics |
| tags | ["digital-forensics","plaso","log2timeline","super-timeline","timesketch","dfir","timeline-analysis","incident-response"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["RS.AN-03"] |
| mitre_attack | ["T1070"] |
Authorized Use Only: Build timelines only from evidence you are authorized to analyze. Work from forensic images/copies and preserve chain of custody.
Plaso (Plaso Langar Að Safna Öllu) is the open-source engine behind log2timeline, the standard for building forensic super timelines — a single chronological, normalized view fusing hundreds of artifact types (file-system MACB times, registry, EVTX, browser history, prefetch, LNK, $UsnJrnl, syslog, and more) into one timeline. Plaso has three core CLI tools:
.plaso storage file using its large parser/plugin set..plaso file.The resulting timeline is enormous, so analysts triage it in Timesketch — a collaborative, web-based timeline analysis platform that ingests .plaso files (or CSV/JSONL) and supports filtering, tagging, starring, saved searches, and automated analyzers.
docker pull log2timeline/plaso
# Run a tool, mounting your evidence/output directory
docker run -v /cases:/data log2timeline/plaso log2timeline.py --version
sudo add-apt-repository ppa:gift/stable
sudo apt-get update && sudo apt-get install -y plaso-tools
.plaso storage file.| ID | Official Technique Name | Relevance to this skill |
|---|---|---|
| T1070 | Indicator Removal | Super timelines reveal indicator-removal behavior (log clearing, file deletion, timestomping) by exposing inconsistencies between MACB timestamps, the USN journal, and event logs. |
Plaso is a defensive forensics engine; the mapping reflects the anti-forensic adversary behavior super timelines are well suited to detect.
log2timeline.py writes a .plaso file from a source. --storage-file names the output; the source can be an .E01, raw image, mount point, or directory.
log2timeline.py --storage-file timeline.plaso /cases/greendale/image.E01
Scope parsers for speed/relevance with --parsers (presets like win7, webhist, or explicit parser names):
log2timeline.py --parsers "win7,!filestat" --storage-file timeline.plaso /cases/image.E01
pinfo.py reports source, parsers used, event counts, and any warnings.
pinfo.py timeline.plaso
psort.py selects an output module with -o, writes with -w, normalizes the timezone with --output-time-zone, and accepts an event filter expression to scope a date range.
psort.py --output-time-zone 'UTC' \
-o l2tcsv \
-w supertimeline.csv \
timeline.plaso \
"date > datetime('2026-01-01T00:00:00') AND date < datetime('2026-01-27T00:00:00')"
For Timesketch-friendly JSON lines, use the json_line output module:
psort.py --output-time-zone 'UTC' -o json_line -w supertimeline.jsonl timeline.plaso
psteal.py runs extraction and CSV export together for quick triage.
psteal.py --source /cases/greendale/image.E01 -o l2tcsv -w supertimeline.csv
Use the official timesketch_importer CLI to upload the .plaso (or CSV/JSONL) into a sketch. Timesketch chunks/reassembles and indexes the file.
timesketch_importer \
--host http://127.0.0.1:5000 \
--username admin \
--timeline_name "greendale-host01" \
--sketch_id 1 \
timeline.plaso
In the sketch UI:
data_type (e.g. windows:evtx:record, fs:stat).Look for MACB timestamps that disagree with $UsnJrnl entries (timestomping), gaps or EventLog cleared (1102) records, and deleted-then-recreated files — all visible on the unified timeline.
| Resource | Purpose | Link |
|---|---|---|
| Plaso (log2timeline) | Timeline engine + tools | https://github.com/log2timeline/plaso |
| Plaso documentation | Tool usage and parsers | https://plaso.readthedocs.io/ |
| Timesketch | Timeline analysis platform | https://github.com/google/timesketch |
| Timesketch docs | Deployment, importer, analyzers | https://timesketch.org/ |
| Plaso Docker image | Reproducible runtime | https://hub.docker.com/r/log2timeline/plaso |
| Command | Purpose |
|---|---|
log2timeline.py --storage-file out.plaso <source> | Extract events |
log2timeline.py --parsers <preset> ... | Scope parsers |
pinfo.py out.plaso | Inspect storage file |
psort.py -o l2tcsv -w out.csv out.plaso "<filter>" | Filter + export CSV |
psort.py -o json_line -w out.jsonl out.plaso | Export JSONL |
psteal.py --source <img> -o l2tcsv -w out.csv | Extract + export in one step |
timesketch_importer --host ... <file> | Import into Timesketch |
.plaso storage file produced from the source image