Question: List of all data fields

[mark-hallman]

Plaso 20171231

I there a list of all the fields that can be extracted via psort.py? I have pulled apart the sqlite output from log2timeline.py and extracted the zlib data from the blob column. I unzip the data and I can make out some of the fields from there.

Second, it appears the -o l2tcsv format does not support the --additional_fields option. Is that correct? It would be nice to have the datetime in ISO 8601 formant in the l2tcsv format. Also, it seems that some of the l2tcsv format fields are empty when adding them to the dynamic output option. Like MACB.

-Mark

[joachimmetz]

I there a list of all the fields that can be extracted via psort.py?

at this time, no, this depends on the fields defined in the event data

I unzip the data and I can make out some of the fields from there.

that is a solution, but you could also just look at the source e.g. for the 'windows:lnk:link' data type https://github.com/log2timeline/plaso/blob/master/plaso/parsers/winlnk.py#L24

Second, it appears the -o l2tcsv format does not support the --additional_fields option. Is that correct?

Correct, this is the l2tcsv standard: http://www.forensicswiki.org/wiki/L2T_CSV. We could add the information to extra, but this would be a work-around not a structural solution.

It would be nice to have the datetime in ISO 8601 formant in the l2tcsv format.

this would be a different version of the l2tcsv format or added as an extra field

[joachimmetz]

Seeing you're asking a similar question as in https://github.com/log2timeline/plaso/issues/1563 and https://github.com/log2timeline/plaso/issues/1595, I'll close those ones.

[slippery60]

I read the " ... just look at the source e.g. for the 'windows:lnk:link' data type"
https://github.com/log2timeline/plaso/blob/master/plaso/parsers/winlnk.py#L24 per your comment. Those are the fields for a link file. Are there other fields for other "events" e.g. the $USNJRNL.

Is there a method for reading "the fields defined in the event data". I suppose a sqllite3 query of some sort.

Thanks

[joachimmetz]

Are there other fields for other "events" e.g. the $USNJRNL.

Yes: https://github.com/log2timeline/plaso/blob/master/plaso/parsers/ntfs.py#L54

Is there a method for reading "the fields defined in the event data". I suppose a sqllite3 query of some sort.

No not at the moment, using rawpy output should provide you with most of these.

[slippery60]

Thanks

On Thu, Jul 12, 2018, 14:29 Joachim Metz notifications@github.com wrote:

Are there other fields for other "events" e.g. the $USNJRNL.

Yes: https://github.com/log2timeline/plaso/blob/master/plaso/parsers/ntfs.py#L54

Is there a method for reading "the fields defined in the event data". I suppose a sqllite3 query of some sort.

No not at the moment, using rawpy output should provide you with most of these.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/log2timeline/plaso/issues/1636#issuecomment-404607168, or mute the thread https://github.com/notifications/unsubscribe-auth/AImDOawOHeAv26tj-l02LzcnWFTY9euFks5uF5WPgaJpZM4RVCLH .

[Onager]

@aguilajesus as we were discussing something similar to this the other day.

[mark-hallman]

slippery60, et al,

I have the same question and spent some time documenting fields and field values as they related to filtering in Plaso. This is likely incomplete and may be outdated. You can find that info at this GitHub Repo https://github.com/mark-hallman/plaso_filters. I think the files on data_types might be helpful. In the presentation, there are filters examples using fields that I had to dig out of the code. This is my own work and there are no representations, guarantees, etc. They have worked for me.

Happy to collaborate with anyone on the list who has an interest.

-Mark

On Thu, Jul 12, 2018 at 9:15 AM slippery60 notifications@github.com wrote:

I read the " ... just look at the source e.g. for the 'windows:lnk:link' data type"

https://github.com/log2timeline/plaso/blob/master/plaso/parsers/winlnk.py#L24 per your comment. Those are the fields for a link file. Are there other fields for other "events" e.g. the $USNJRNL.

Is there a method for reading "the fields defined in the event data". I suppose a sqllite3 query of some sort.

Thanks

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/log2timeline/plaso/issues/1636#issuecomment-404527305, or mute the thread https://github.com/notifications/unsubscribe-auth/AQB5gCYFCzK7OUYqFPi_6DBpmcgvP-Kjks5uF1oJgaJpZM4RVCLH .

[joachimmetz]

I've added ./utils/export_event_data.py in https://github.com/log2timeline/plaso/pull/2497 to export the schema based on the source instead of people maintaining a manual list.