Daniel White

Abstract

Plaso is the Python based back-end engine used by log2timeline and other forensic tools for automatic creation of "super timelines". During this workshop, you'll learn how to create robust parsers and how to write plugins to expand functionality of the Plaso. Next time you come across an obscure log file or ambiguous Registry key in the course of an investigation, you'll have the ability to package up your knowledge into a piece of reusable code that you can share across your team and with the wider DFIR community.