Super Timeline Using ELK Stack


ELK Stack is a collection of three components – Elasticsearch, Logstash & Kibana

  • Logstash – This component is responsible for processing incoming data. It takes input from different sources, executes different transformations and stores the results in Elasticsearch or other formats
  • Elasticsearch – NoSQL database based on Apache Lucene’s search engine.
  • Kibana – Web based interface that is used to search and visualize logs

These three together form the ELK stack and are used largely now in Threat Hunting or Big Data Security Analytics for the sole role of log analytics and viz. ELK stack would be the open source alternative to Splunk

ELK can also be used for performing analytics and timelining of a forensic image

For this demo, I am using an Encase image of a Windows XP drive taken from ForensicKB


MOUNT the Image

In FTK Imager,

  • Select Image Mounting.
  • Select the Image file.
  • Change Mounting method to Block Device / Read Only.
  • Choose the drive letter.
  • Hit Mount.

Here I have mounted the WinXP2.E01 image as E:




Convert the IMAGE into a PLASO file

Plaso is the python based backend for the Log2Timeline Tool.

Plaso will allow us to extract information from the files and to create a plaso based SuperTimeline file.

This file can then be imported into ELK to perform analytics

You can download plaso 1.5.1 from here.

log2timeline.exe XP.plaso E:

Log2Timeline will then parse the entire image and create a file named XP.plaso


Detailed help on its GitHub page



Parse the PLASO file into ELK

I transferred the file to my ELK VM.

Before I run psort, I need to ensure Python is installed along with the pyelasticsearch libraries
We can install the libraries using pip

sudo pip install pyelasticsearch


psort is a tool that allows us to post-process plaso files and also to perform sorting & filtering on the files
We can see detailed help by using -h or --help

To see a list of supported outputs, use the -o list parameter
To specify the time zone using the -z TIMEZONE parameter
To view the analysis plugins, use the --analysis list switch -o elastic --server --port 9200 --raw_fields --index_name lionelforensics XP.plaso



Using KIBANA for Analytics

Load the Kibana Web Interface (localhost:5601) and create an index matching the index_name specified above. Map the time-field name with DateTime.

If we expand an event in Kibana, we can see there are different fields like



On filtering for reset5, we can see there are some .exe and .dat files.

The SHA256 value can be submitted to Virus Total


Command Line summary
log2timeline.exe XP.plaso E:

sudo pip install pyelasticsearch -o elastic --server --port 9200 --raw_fields --index_name lionelforensics XP.plaso








1 comment

Mounting the image file is unnecessary as log2timeline can process the image file.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.