How to create custom filters and parser presets for log2timeline and plaso

If you’re looking to parse a Windows image quickly, and don’t necesarily need all artificats to be include (in cases where you suspect only malicious human behavior, and not actual attackers), you can create a filter to only look in the most vital locations. This will speed up the timeline creation immensely, and could give you enough information to persue your case.

An example filter for Windows could look like this:

/[$]Recycle.Bin/.+ /Users/.+/NTUSER.DAT /Users/.+/AppData/Local/Google/Chrome/.+/.+/.+ /Users/.+/AppData/Local/Google/Chrome/.+/.+/.+/.+ /Windows/System32/config/SOFTWARE /Windows/System32/config/SYSTEM /Windows/System32/config/SAM /WIndows/System32/config/SECURITY /Windows/System32/config/WinEvt/Logs/.+ /Windows/System32/WinEvt/Logs/.+ /[$]MFT /[$]Extended/.+ /Windows/AppCompat/Programs/Amcache.hve /Windows/Prefetch/.+ /Windows/System32/Tasks/.+

This will look through the registry, most recent executions and access artifacts, event logs and the filesystem actions.

log2timeline parses the files in different ways, and there’s no reason for you to try and parse your artifacts with all of the parsers for your initial triage timeline. Just stick with the most important parsers, that fits with your filter. An example would be this:

sudo nano /usr/lib/python2.7/dist-packages/plaso/parsers/

Append this to the file:

'triage': [ 'recycle_bin', 'recycler','custom_destinations', 'esedb/file_history', 'bencode', 'filestat','winreg_plugins/appcompatcache', 'winreg_plugins/bagmru','winreg_plugins/task_scheduler', 'winreg_plugins/services', 'winreg_plugins/userassist','winreg_plugins/usb', 'olecf/olecf_automatic_destinations', 'winevtx', 'amcache', 'sqlite/skype','mft','lnk','bagmru', 'usnjrnl', 'webhist', 'winfirewall', 'winjob','chrome_cache', 'winreg','prefetch'],

Finally, run log2timeline like so:

log2timeline --filter_file filter.txt --parsers triage image-plaso.dump </path/to/image.E01>